github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
adee2c7974
containerd/contrib/Dockerfile.test.d/cri-in-userns/docker-entrypoint.sh
Akihiro Suda aefabe5462
Dockerfile.test: add "cri-in-userns" (aka rootless) test stage 
The `cri-in-userns` stage is for testing "CRI-in-UserNS", which should be used in conjunction with "Kubelet-in-UserNS":
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless

This feature is mostly expected to be used for `kind` and `minikube`.

Requires Rootless Docker/Podman/nerdctl with cgroup v2 delegation: https://rootlesscontaine.rs/getting-started/common/cgroup2/
(Rootless Docker/Podman/nerdctl prepares the UserNS, so we do not need to create UserNS by ourselves)

Usage:
```
podman build --target cri-in-userns -t cri-in-userns -f contrib/Dockerfile.test .
podman run -it --rm --privileged cri-in-userns
```

The stage is tested on CI with Rootless Podman on Fedora 34 on Vagrant.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-09 14:50:04 +09:00

52 lines
1.7 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Copyright The containerd Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -eu -o pipefail
# Check 4294967295 to detect UserNS (https://github.com/opencontainers/runc/blob/v1.0.0/libcontainer/userns/userns_linux.go#L29-L32)
if grep -Eq "0[[:space:]]+0[[:space:]]+4294967295" /proc/self/uid_map; then
echo >&2 "ERROR: Needs to be executed in UserNS (i.e., rootless Docker/Podman/nerdctl)"
exit 1
fi
if [ ! -f "/sys/fs/cgroup/cgroup.controllers" ]; then
echo >&2 "ERROR: Needs cgroup v2"
exit 1
fi
for f in cpu memory pids; do
if ! grep -qw "$f" "/sys/fs/cgroup/cgroup.controllers"; then
echo >&2 "ERROR: Needs cgroup v2 controller ${f} to be delegated"
exit 1
fi
done
echo >&2 "Enabling cgroup v2 nesting"
# https://github.com/moby/moby/blob/v20.10.7/hack/dind#L28-L38
mkdir -p /sys/fs/cgroup/init
xargs -rn1 < /sys/fs/cgroup/cgroup.procs > /sys/fs/cgroup/init/cgroup.procs || :
sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/cgroup.controllers \
> /sys/fs/cgroup/cgroup.subtree_control
set -x
echo >&2 "Running containerd in background"
containerd &
echo >&2 "Waiting for containerd"
until ctr plugins list; do sleep 3; done
exec "$@"
Reference in New Issue View Git Blame Copy Permalink