Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds info about `userns` for rootless containers #1929

Merged
merged 1 commit into from Oct 23, 2019

Conversation

@kkallday
Copy link
Contributor

kkallday commented Nov 12, 2018

Hi all,

When I attempted to run a rootless container I got the following error:

container_linux.go:337: starting container process caused "process_linux.go:302: running exec setns process for init caused \"exit status 39\""

This occurred because:

$ cat /proc/sys/kernel/unprivileged_userns_clone
0

After setting this to 1, I was able to run a rootless container.

README.md Outdated
`runc` has the ability to run containers without root privileges. This is called `rootless`. You need to pass some parameters to `runc` in order to run rootless containers. See below and compare with the previous version. Run the following commands as an ordinary user:
`runc` has the ability to run containers without root privileges. This is called `rootless`. You need to pass some parameters to `runc` in order to run rootless containers. See below and compare with the previous version.

**Note:** `userns` must be compiled and enabled in your kernel. To enable this feature, run `echo 1 > /proc/sys/kernel/unprivileged_userns_clone`.

This comment has been minimized.

This comment has been minimized.

Copy link
@AkihiroSuda

This comment has been minimized.

Copy link
@cyphar

cyphar Nov 13, 2018

Member

Not to mention that you should probably also check CONFIG_USER_NS=y in /proc/config.gz.

This comment has been minimized.

Copy link
@kkallday

kkallday Nov 15, 2018

Author Contributor

Thanks for the review. I'll update the PR to reflect that.

This comment has been minimized.

Copy link
@kkallday

kkallday Nov 15, 2018

Author Contributor

Updated.

@cyphar

This comment has been minimized.

Copy link
Member

cyphar commented Nov 13, 2018

You need to add a Signed-off-by: line to your commit(s) which indicates that you attest the Developer Certificate of Origin a statement about your contributions that you must read before signing (don't worry, it's quite short and easy-to-read). You can add it to your commits with git commit --amend -s, and then doing a git push --force.

@kkallday kkallday force-pushed the kkallday:patch-1 branch from 6b2a645 to 1f9fbca Nov 15, 2018
README.md Outdated
**Note:** In order to use this feature, "User Namespaces" must be compiled and enabled in your kernel. There are various ways to do this depending on your distribution:
- Confirm `CONFIG_USER_NS=y` is set in your kernel configuration (normally found in `/proc/config.gz`)
- Arch/Debian: `echo 1 > /proc/sys/kernel/unprivileged_userns_clone`
- RHEL/CentOS 7: Add `user_namespace.enable=1` to your boot parameters

This comment has been minimized.

Copy link
@AkihiroSuda

AkihiroSuda Nov 15, 2018

Contributor

Is this still required on 7.5+?

@giuseppe @vbatts

This comment has been minimized.

Copy link
@giuseppe

giuseppe Nov 15, 2018

Contributor

on RHEL/CentOS it is only required to change the value of /proc/sys/user/max_user_namespaces which defaults to 0

This comment has been minimized.

Copy link
@vbatts

vbatts Nov 15, 2018

Member

correct. sysctl user.max_user_namespaces=28633

This comment has been minimized.

Copy link
@kkallday

kkallday Nov 16, 2018

Author Contributor

Thanks all. Updated.

Signed-off-by: Kevin Kelani <kkelani@gmail.com>
@kkallday kkallday force-pushed the kkallday:patch-1 branch from 1f9fbca to 056909b Nov 16, 2018
@AkihiroSuda

This comment has been minimized.

Copy link
Contributor

AkihiroSuda commented Oct 19, 2019

@giuseppe

This comment has been minimized.

Copy link
Contributor

giuseppe commented Oct 19, 2019

LGTM

@rhatdan

This comment has been minimized.

Copy link
Contributor

rhatdan commented Oct 20, 2019

@crosbymichael

This comment has been minimized.

Copy link
Member

crosbymichael commented Oct 23, 2019

LGTM

Approved with PullApprove

1 similar comment
@dqminh

This comment has been minimized.

Copy link
Contributor

dqminh commented Oct 23, 2019

LGTM

Approved with PullApprove

@crosbymichael crosbymichael merged commit 792af40 into opencontainers:master Oct 23, 2019
2 checks passed
2 checks passed
code-review/pullapprove Approved by crosbymichael, dqminh
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.