containerd/docs/rootless.md

Running containerd as a non-root user

A non-root user can execute containerd by using user_namespaces(7).

For example RootlessKit can be used for setting up a user namespace (along with mount namespace and optionally network namespace). Please refer to RootlessKit documentation for further information.

Daemon

$ rootlesskit --net=slirp4netns --copy-up=/etc \
  --state-dir=/run/user/1001/rootlesskit-containerd \
  containerd -c config.toml

• --net=slirp4netns --copy-up=/etc is only required when you want to unshare network namespaces
• Depending on the containerd plugin configuration, you may also need to add more --copy-up options, e.g. --copy-up=/run, which mounts a writable tmpfs on /run, with symbolic links to the files under the /run on the parent namespace.
• --state-dir is set to a random directory under /tmp if unset. RootlessKit writes the PID to a file named child_pid under this directory.
• You need to provide config.toml with your own path configuration. e.g.

root = "/home/penguin/.local/share/containerd"
state = "/run/user/1001/containerd"

[grpc]
  address = "/run/user/1001/containerd/containerd.sock"

[plugins]
  [plugins.linux]
    runtime_root = "/run/user/1001/containerd/runc"

Client

A client program such as ctr also needs to be executed inside the daemon namespaces.

$ nsenter -U --preserve-credentials -m -n -t $(cat /run/user/1001/rootlesskit-containerd/child_pid)
$ export CONTAINERD_SNAPSHOTTER=native
$ ctr -a /run/user/1001/containerd/containerd.sock pull docker.io/library/ubuntu:latest
$ ctr -a /run/user/1001/containerd/containerd.sock run -t --rm --fifo-dir /tmp/foo-fifo --cgroup "" docker.io/library/ubuntu:latest foo

• overlayfs snapshotter does not work inside user namespaces, except on Ubuntu kernel