From b553bc14a2cfa1994646d2f52a8e25c023de76bb Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Tue, 7 Jan 2020 15:51:31 +0900 Subject: [PATCH] update docs/rootless.md * Updated an example config to v2 syntax * Updated for shim v2 (relates to #2767) Signed-off-by: Akihiro Suda --- docs/rootless.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/docs/rootless.md b/docs/rootless.md index 6c2059ed9..16440b14e 100644 --- a/docs/rootless.md +++ b/docs/rootless.md @@ -4,28 +4,33 @@ A non-root user can execute containerd by using [`user_namespaces(7)`](http://ma For example [RootlessKit](https://github.com/rootless-containers/rootlesskit) can be used for setting up a user namespace (along with mount namespace and optionally network namespace). Please refer to RootlessKit documentation for further information. +See also [Rootless Docker documentation](https://docs.docker.com/engine/security/rootless/). + ## Daemon ```console -$ rootlesskit --net=slirp4netns --copy-up=/etc \ +$ rootlesskit --net=slirp4netns --copy-up=/etc --copy-up=/run \ --state-dir=/run/user/1001/rootlesskit-containerd \ - containerd -c config.toml + sh -c "rm -rf /run/containerd; containerd -c config.toml" ``` * `--net=slirp4netns --copy-up=/etc` is only required when you want to unshare network namespaces -* Depending on the containerd plugin configuration, you may also need to add more `--copy-up` options, e.g. `--copy-up=/run`, which mounts a writable tmpfs on `/run`, with symbolic links to the files under the `/run` on the parent namespace. +* `--copy-up=/DIR` mounts a writable tmpfs on `/DIR` with symbolic links to the files under the `/DIR` on the parent namespace + so that the user can add/remove files under `/DIR` in the mount namespace. + `--copy-up=/etc` and `--copy-up=/run` are needed on typical setup. + Depending on the containerd plugin configuration, you may also need to add more `--copy-up` options. +* `rm -rf /run/containerd` is required for v2 shim as a workaround for [#2767](https://github.com/containerd/containerd/issues/2767). + This command removes the "copied-up" symbolic link to `/run/containerd` on the parent namespace (if exists), which cannot be accessed by non-root users. + The actual `/run/containerd` directory on the host is not affected. * `--state-dir` is set to a random directory under `/tmp` if unset. RootlessKit writes the PID to a file named `child_pid` under this directory. * You need to provide `config.toml` with your own path configuration. e.g. ```toml +version = 2 root = "/home/penguin/.local/share/containerd" state = "/run/user/1001/containerd" [grpc] address = "/run/user/1001/containerd/containerd.sock" - -[plugins] - [plugins.linux] - runtime_root = "/run/user/1001/containerd/runc" ``` ## Client @@ -39,4 +44,5 @@ $ ctr images pull docker.io/library/ubuntu:latest $ ctr run -t --rm --fifo-dir /tmp/foo-fifo --cgroup "" docker.io/library/ubuntu:latest foo ``` -* `overlayfs` snapshotter does not work inside user namespaces, except on Ubuntu kernel +* `overlayfs` snapshotter does not work inside user namespaces, except on Ubuntu and Debian kernels. + However, [`fuse-overlayfs` snapshotter](https://github.com/AkihiroSuda/containerd-fuse-overlayfs) can be used instead if running kernel >= 4.18.