rootless-containers / runrootless Goto Github PK
View Code? Open in Web Editor NEWrootless OCI container runtime with ptrace hacks (No root privileges nor SUID binaries (e.g. newuidmap) are required!)
License: Apache License 2.0
runrootless's People
Contributors
Stargazers
Watchers
Forkers
akihirosuda yut148 anonymouse64 3artek mikalv o10222 iamthatiam777 timyinshi jasonyangshadow shism2runrootless's Issues
proot: fix chown(42, 43); chown(44, -1)
expected result: 44:43
actual result: 44:0
#include <stdio.h>
#include <unistd.h>
int main(int ac, char *av[]){
if (ac != 2) {
fprintf(stderr, "usage: %s FILE\n", av[0]);
return 1;
}
const char *path = av[1];
if (chown(path, 42, 43) < 0) {
perror("chown(42, 43)");
return 1;
}
if (chown(path, 44, -1) < 0) {
perror("chown(44, -1)");
return 1;
}
return 0;
}modify an OCI bundle rather than a whole new wrapper script
containers/buildah#386 (comment)
@AkihiroSuda Have you considered making runrootless a tool that will modify an OCI bundle rather than a whole new wrapper script? In principle you would only need to touch the config.json since you also bind-mount PRoot into the container.
Yes, it should be easily possible.
What do you expect for CLI UX?
Does runrootless _convert look fine?
(I prepended an underscore so that it won't conflict with future version of runc, but no strong opinion)
proot: can we separate it out into a separate project
I've been recommending people use the proot plugin that you've written, but it's a bit difficult for people to just use it because it's part of this project. Would you mind if we separated it into a separate project and then placed it inside https://github.com/rootless-containers?
As an aside, did you want to put this project in the rootless-containers organisation as well?
apk script fails due to chroot EPERM
/ # apk add zsh
(1/4) Installing ncurses-terminfo-base (6.0_p20170930-r0)
(2/4) Installing ncurses-terminfo (6.0_p20170930-r0)
(3/4) Installing ncurses-libs (6.0_p20170930-r0)
(4/4) Installing zsh (5.4.2-r0)
Executing zsh-5.4.2-r0.post-install
ERROR: zsh-5.4.2-r0.post-install: script exited with error 127
Executing busybox-1.27.2-r6.trigger
ERROR: busybox-1.27.2-r6.trigger: script exited with error 127
1 error; 17 MiB in 15 packages
strace:
openat(3, "var/cache/misc/busybox-1.27.2-r6.trigger", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0755) = 8
write(8, "#!/bin/sh\n\ndo_bb_install=\n\nfor i"..., 365) = 365
close(8) = 0
rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0
fork(strace: Process 15 attached
<unfinished ...>
[pid 15] gettid() = 15
[pid 15] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid 15] umask(022) = 000
[pid 15] fchdir(3) = 0
[pid 15] chroot(".") = -1 EPERM (Operation not permitted)
[pid 13] <... fork resumed> ) = 15
[pid 15] exit_group(127) = ?
[pid 13] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid 15] +++ exited with 127 +++
This is not specific to runrootless/proot.
Plain rootless runc hits this issue as well.
Fake capabilities (e.g. CAP_CHOWN, CAP_DAC_OVERRIDE)
Hide `user.rootlesscontainers.*` xattrs from the container
RFC: consider renaming the project (runROOTLESS -> runFULLYROOTLESS?)
The current project name runROOTLESS is confusing because the upstream runc supports rootless as well but in a different way.
RFC
cc @cyphar
Support `runc exec`
Currently, runc exec is not hooked.
Ideally we should use a single proot instance, but injecting another instance should be ok now
apt/dpkg fails intermittently, when seccomp acceleration is enabled
root@runc:~# dpkg-deb --fsys-tarfile /var/cache/apt/archives/htop_2.0.1-1ubuntu1_amd64.deb > /dev/null
dpkg-deb: error: subprocess <decompress> was killed by signal (Segmentation fault)
root@runc:~# dpkg-deb --fsys-tarfile /var/cache/apt/archives/htop_2.0.1-1ubuntu1_amd64.deb > /dev/null
root@runc:~# dpkg-deb --fsys-tarfile /var/cache/apt/archives/htop_2.0.1-1ubuntu1_amd64.deb > /dev/null
root@runc:~# dpkg-deb --fsys-tarfile /var/cache/apt/archives/htop_2.0.1-1ubuntu1_amd64.deb > /dev/null
dpkg-deb: error: subprocess <decompress> was killed by signal (Segmentation fault)
memo: benchmark
| image | command | regular runc (root) (config) | runrootless | runrootless+seccomp |
|---|---|---|---|---|
| docker gentoo/stage3-amd64 | emerge --sync |
52s | 1m43s | 2m54s |
| ditto | emerge zsh (after emerge --sync) |
2m1s | 9m3s | (crashed quickly) |
| alpine | apk add gcc |
1.4s | 2.2s | 2.0s |
| ditto | apk add openjdk8 |
3.1s | 4.4s | 3.14s |
| ditto | git clone https://github.com/torvalds/linux.git |
6m38s | 10m43s | (crashed quickly) |
- PRoot overhead seems significant for
emerge, especially during compiling packages - For
apk add, overhead is negligible - Suggestion:
-- Enable PRoot only duringapk/apt/yumoperation
-- Disable PRoot for compilation
unsure what pre-req's are needed for this to work
So, I think this needs user namespaces enabled to work - which in my situation is thus not "fully rootless" - the user needs to convince the admins that this is reasonable (and thus takes time)
Assuming I'm correct, would it be reasonable to mention this in the README?
I'm also wondering if the fork of PRoot is necessary anymore, or if the changes could be merged upstream? @oxr463 ?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.