Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running Rootless #76

Open
adamsmd opened this issue Jan 9, 2022 · 3 comments
Open

Running Rootless #76

adamsmd opened this issue Jan 9, 2022 · 3 comments

Comments

@adamsmd
Copy link

adamsmd commented Jan 9, 2022

This may be an incredibly naive question, but is there a way this container could be modified to work in rootless mode?

The main issue seems to be mount at

binfmt/cmd/binfmt/main.go

Line 182 in eed5db1

if err := syscall.Mount("binfmt_misc", mount, "binfmt_misc", 0, ""); err != nil {
, but I don't know enough to know if there is an alternative to doing that mount.

The reason I am interested in this is that I am using act to develop my GitHub Actions. I would like to run it rootless, and some of my actions call the docker/setup-qemu-action GitHub Action, which in turn uses tonistiigi/binfmt at https://github.com/docker/setup-qemu-action/blob/10348241d3ea2d30357b172897afc31824ea2e2e/src/main.ts#L30.
@AkihiroSuda
Copy link
Contributor

Currently no, but this kernel patch binfmt_misc: enable sandboxed mounts may work
https://lkml.org/lkml/2021/12/16/407

@FerLuisxd
Copy link

So this means all emulated containers will run as root?

@AkihiroSuda
Copy link
Contributor

So this means all emulated containers will run as root?

No. The root privilege is needed only for registering QEMU into the kernel.

This was referenced Feb 20, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@adamsmd @AkihiroSuda @FerLuisxd