New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
basic support for running in an user namespace #1729
Conversation
f90d36d
to
91f1dbd
Compare
/cc @AkihiroSuda |
@giuseppe: GitHub didn't allow me to request PR reviews from the following users: AkihiroSuda. Note that only kubernetes-incubator members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
🎉 I'll try to add cri-o to Usernetes https://github.com/rootless-containers/usernetes How did you test rootless cri-o? |
server/rootless.go
Outdated
|
||
func makeOCIConfigurationRootless(g *generate.Generator) error { | ||
g.Config.Linux.Resources = nil | ||
g.Config.Process.OOMScoreAdj = nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with apparmor yet but probably it does not work with rootless?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not familiar either but I guess it won't work, similarly with SELinux, I'll force them to ""
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SELinux would work in UserNS. SElinux doesn't care about DAC.
@AkihiroSuda I've only used crictl with some basic containers, I'd expect it to fail with more complex ones :-) I am going to test it with Usernetes |
e3b5bc2
to
9bc3d44
Compare
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
11ad164
to
91ef229
Compare
dropping WIP as I could test it with Usernetes and I am able to deploy a simple POD. |
/test all |
lib/config.go
Outdated
@@ -96,6 +96,9 @@ type RootConfig struct { | |||
// File-based locking is required when multiple users of lib are | |||
// present on the same system | |||
FileLocking bool `toml:"file_locking"` | |||
|
|||
// FileLockingPath specifies the path to use for the locking. | |||
FileLockingPath bool `toml:"file_locking_path"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: can we fix this commit to not introduce this as bool and rewrite as string in next commit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
absolutely, I thought I already did it, apparently I screwed the rebase. Pushed a new version
I have one nit, otherwise looks fine 👍 |
server/rootless.go
Outdated
Destination: "/sys", | ||
Type: "bind", | ||
Source: "/sys", | ||
Options: []string{"nosuid", "noexec", "nodev", "ro", "rbind"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ro, rbind
does not make /sys/fs/cgroup
read-only recursively, could you cherry-pick https://gist.github.com/AkihiroSuda/889b29c56a3c9b546a843fb03f11d60a ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am seeing an issue when I try to mount cgroup after the /sys/
bind mount. I am trying to fix it in podman first, as the same bind mount is used there and I am using this patch:
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index d9888e99..1bcb92ad 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -44,6 +44,13 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
Options: []string{"nosuid", "noexec", "nodev", "ro", "rbind"},
}
g.AddMount(sysMnt)
+ cgroupMnt := spec.Mount{
+ Destination: "/sys/fs/cgroup",
+ Type: "cgroup",
+ Source: "cgroup",
+ Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
+ }
+ g.AddMount(cgroupMnt)
}
if rootless.IsRootless() {
g.RemoveMount("/dev/pts")
The error I see is:
container_linux.go:336: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:57: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/tmp/test/rootfs\\\" at \\\"/sys/fs/cgroup\\\" caused \\\"stat /tmp/test/rootfs/sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service/foo: no such file or directory\\\"\""
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, is it possible to exploit it without privileged helpers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry you need to compile runc with patched libcontainer/rootfs_linux.go
. I'll open PR in a few days.
As the issue won't be exploited without privileged helpers (e.g. pam_cgfs or manual chown invocation), the fix can be postponed.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
I've done another change in the rootless code, now |
/test all |
/test e2e_rhel |
tests are happy. @mrunalp |
Allow to run it in an user namespace. This is only a first step but I was able to run a pod and some basic containers. Leave it undocumented for now as we don't want to stick with this API. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
I forgot to address one comment from @rhatdan, I've included this change now: @@ -19,7 +19,6 @@ func makeOCIConfigurationRootless(g *generate.Generator) error {
g.Config.Linux.Resources = nil
g.Config.Process.OOMScoreAdj = nil
g.Config.Process.ApparmorProfile = ""
- g.Config.Process.SelinuxLabel = "" looks like we need to test again :-( /test all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
- What I did
fixed some issues to allow CRI-O running in an user namespace
- How I did it
Allow to configure all directories used by CRI-O
- How to verify it
create a namespace, and run CRI-O with a configuration file where all directories are writeable by the user