github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
Files
7321032716e55b9f2980af5fe32b397e4978ed4d
containerd/docs/rootless.md
Akihiro Suda 41fc516a22 docs/rootless.md: recommend "easy way" over "hard way" 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-14 16:57:46 +09:00

3.3 KiB
Raw Blame History

Running containerd as a non-root user

A non-root user can execute containerd by using user_namespaces(7).

For example RootlessKit can be used for setting up a user namespace (along with mount namespace and optionally network namespace). Please refer to RootlessKit documentation for further information.

See also https://rootlesscontaine.rs/ .

"Easy way"

The easiest way is to use containerd-rootless-setuptool.sh included in containerd/nerdctl.

$ containerd-rootless-setuptool.sh install
$ nerdctl run -d --restart=always --name nginx -p 8080:80 nginx:alpine

See https://github.com/containerd/nerdctl/blob/master/docs/rootless.md for the further information.

"Hard way"

Click here to show the "hard way"

Daemon

$ rootlesskit --net=slirp4netns --copy-up=/etc --copy-up=/run \
  --state-dir=/run/user/1001/rootlesskit-containerd \
  sh -c "rm -f /run/containerd; exec containerd -c config.toml"
  • --net=slirp4netns --copy-up=/etc is only required when you want to unshare network namespaces. See RootlessKit documentation for the further information about the network drivers.
  • --copy-up=/DIR mounts a writable tmpfs on /DIR with symbolic links to the files under the /DIR on the parent namespace so that the user can add/remove files under /DIR in the mount namespace. --copy-up=/etc and --copy-up=/run are needed on typical setup. Depending on the containerd plugin configuration, you may also need to add more --copy-up options.
  • rm -f /run/containerd removes the "copied-up" symbolic link to /run/containerd on the parent namespace (if exists), which cannot be accessed by non-root users. The actual /run/containerd directory on the host is not affected.
  • --state-dir is set to a random directory under /tmp if unset. RootlessKit writes the PID to a file named child_pid under this directory.
  • You need to provide config.toml with your own path configuration. e.g.
version = 2
root = "/home/penguin/.local/share/containerd"
state = "/run/user/1001/containerd"

[grpc]
  address = "/run/user/1001/containerd/containerd.sock"

Client

A client program such as ctr also needs to be executed inside the daemon namespaces.

$ nsenter -U --preserve-credentials -m -n -t $(cat /run/user/1001/rootlesskit-containerd/child_pid)
$ export CONTAINERD_ADDRESS=/run/user/1001/containerd/containerd.sock
$ export CONTAINERD_SNAPSHOTTER=native
$ ctr images pull docker.io/library/ubuntu:latest
$ ctr run -t --rm --fifo-dir /tmp/foo-fifo --cgroup "" docker.io/library/ubuntu:latest foo
  • The overlayfs snapshotter does not work inside user namespaces before kernel 5.11, except on Ubuntu and Debian kernels. However, fuse-overlayfs snapshotter can be used instead if running kernel >= 4.18.
  • Enabling cgroup requires cgroup v2 and systemd, e.g. ctr run --cgroup "user.slice:foo:bar" --runc-systemd-cgroup ... . See also runc documentation.