update docs/rootless.md

* Updated an example config to v2 syntax
* Updated for shim v2 (relates to #2767)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

docs/rootless.md

@@ -4,28 +4,33 @@ A non-root user can execute containerd by using [`user_namespaces(7)`](http://ma
 
 For example [RootlessKit](https://github.com/rootless-containers/rootlesskit) can be used for setting up a user namespace (along with mount namespace and optionally network namespace). Please refer to RootlessKit documentation for further information.
 
+See also [Rootless Docker documentation](https://docs.docker.com/engine/security/rootless/).
+
 ## Daemon
 
 ```console
-$ rootlesskit --net=slirp4netns --copy-up=/etc \
+$ rootlesskit --net=slirp4netns --copy-up=/etc --copy-up=/run \
   --state-dir=/run/user/1001/rootlesskit-containerd \
-  containerd -c config.toml
+  sh -c "rm -rf /run/containerd; containerd -c config.toml"
 ```
 
 * `--net=slirp4netns --copy-up=/etc` is only required when you want to unshare network namespaces
-* Depending on the containerd plugin configuration, you may also need to add more `--copy-up` options, e.g. `--copy-up=/run`, which mounts a writable tmpfs on `/run`, with symbolic links to the files under the `/run` on the parent namespace.
+* `--copy-up=/DIR` mounts a writable tmpfs on `/DIR` with symbolic links to the files under the `/DIR` on the parent namespace
+  so that the user can add/remove files under `/DIR` in the mount namespace.
+  `--copy-up=/etc` and `--copy-up=/run` are needed on typical setup.
+  Depending on the containerd plugin configuration, you may also need to add more `--copy-up` options.
+* `rm -rf /run/containerd` is required for v2 shim as a workaround for [#2767](https://github.com/containerd/containerd/issues/2767).
+  This command removes the "copied-up" symbolic link to `/run/containerd` on the parent namespace (if exists), which cannot be accessed by non-root users.
+  The actual `/run/containerd` directory on the host is not affected.
 * `--state-dir` is set to a random directory under `/tmp` if unset. RootlessKit writes the PID to a file named `child_pid` under this directory.
 * You need to provide `config.toml` with your own path configuration. e.g.
 ```toml
+version = 2
 root = "/home/penguin/.local/share/containerd"
 state = "/run/user/1001/containerd"
 
 [grpc]
   address = "/run/user/1001/containerd/containerd.sock"
-
-[plugins]
-  [plugins.linux]
-    runtime_root = "/run/user/1001/containerd/runc"
 ```
 
 ## Client
@@ -39,4 +44,5 @@ $ ctr images pull docker.io/library/ubuntu:latest
 $ ctr run -t --rm --fifo-dir /tmp/foo-fifo --cgroup "" docker.io/library/ubuntu:latest foo
 ```
 
-* `overlayfs` snapshotter does not work inside user namespaces, except on Ubuntu kernel
+* `overlayfs` snapshotter does not work inside user namespaces, except on Ubuntu and Debian kernels.
+  However, [`fuse-overlayfs` snapshotter](https://github.com/AkihiroSuda/containerd-fuse-overlayfs) can be used instead if running kernel >= 4.18.