rootless-containers / runrootless Goto Github PK
View Code? Open in Web Editor NEWrootless OCI container runtime with ptrace hacks (No root privileges nor SUID binaries (e.g. newuidmap) are required!)
License: Apache License 2.0
rootless OCI container runtime with ptrace hacks (No root privileges nor SUID binaries (e.g. newuidmap) are required!)
License: Apache License 2.0
expected result: 44:43
actual result: 44:0
#include <stdio.h>
#include <unistd.h>
int main(int ac, char *av[]){
if (ac != 2) {
fprintf(stderr, "usage: %s FILE\n", av[0]);
return 1;
}
const char *path = av[1];
if (chown(path, 42, 43) < 0) {
perror("chown(42, 43)");
return 1;
}
if (chown(path, 44, -1) < 0) {
perror("chown(44, -1)");
return 1;
}
return 0;
}
containers/buildah#386 (comment)
@AkihiroSuda Have you considered making runrootless a tool that will modify an OCI bundle rather than a whole new wrapper script? In principle you would only need to touch the config.json since you also bind-mount PRoot into the container.
Yes, it should be easily possible.
What do you expect for CLI UX?
Does runrootless _convert
look fine?
(I prepended an underscore so that it won't conflict with future version of runc, but no strong opinion)
I've been recommending people use the proot plugin that you've written, but it's a bit difficult for people to just use it because it's part of this project. Would you mind if we separated it into a separate project and then placed it inside https://github.com/rootless-containers?
As an aside, did you want to put this project in the rootless-containers
organisation as well?
/ # apk add zsh
(1/4) Installing ncurses-terminfo-base (6.0_p20170930-r0)
(2/4) Installing ncurses-terminfo (6.0_p20170930-r0)
(3/4) Installing ncurses-libs (6.0_p20170930-r0)
(4/4) Installing zsh (5.4.2-r0)
Executing zsh-5.4.2-r0.post-install
ERROR: zsh-5.4.2-r0.post-install: script exited with error 127
Executing busybox-1.27.2-r6.trigger
ERROR: busybox-1.27.2-r6.trigger: script exited with error 127
1 error; 17 MiB in 15 packages
strace:
openat(3, "var/cache/misc/busybox-1.27.2-r6.trigger", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0755) = 8
write(8, "#!/bin/sh\n\ndo_bb_install=\n\nfor i"..., 365) = 365
close(8) = 0
rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0
fork(strace: Process 15 attached
<unfinished ...>
[pid 15] gettid() = 15
[pid 15] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid 15] umask(022) = 000
[pid 15] fchdir(3) = 0
[pid 15] chroot(".") = -1 EPERM (Operation not permitted)
[pid 13] <... fork resumed> ) = 15
[pid 15] exit_group(127) = ?
[pid 13] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid 15] +++ exited with 127 +++
This is not specific to runrootless/proot.
Plain rootless runc hits this issue as well.
The current project name runROOTLESS is confusing because the upstream runc supports rootless as well but in a different way.
RFC
cc @cyphar
Currently, runc exec
is not hooked.
Ideally we should use a single proot instance, but injecting another instance should be ok now
root@runc:~# dpkg-deb --fsys-tarfile /var/cache/apt/archives/htop_2.0.1-1ubuntu1_amd64.deb > /dev/null
dpkg-deb: error: subprocess <decompress> was killed by signal (Segmentation fault)
root@runc:~# dpkg-deb --fsys-tarfile /var/cache/apt/archives/htop_2.0.1-1ubuntu1_amd64.deb > /dev/null
root@runc:~# dpkg-deb --fsys-tarfile /var/cache/apt/archives/htop_2.0.1-1ubuntu1_amd64.deb > /dev/null
root@runc:~# dpkg-deb --fsys-tarfile /var/cache/apt/archives/htop_2.0.1-1ubuntu1_amd64.deb > /dev/null
dpkg-deb: error: subprocess <decompress> was killed by signal (Segmentation fault)
image | command | regular runc (root) (config) | runrootless | runrootless+seccomp |
---|---|---|---|---|
docker gentoo/stage3-amd64 | emerge --sync |
52s | 1m43s | 2m54s |
ditto | emerge zsh (after emerge --sync ) |
2m1s | 9m3s | (crashed quickly) |
alpine | apk add gcc |
1.4s | 2.2s | 2.0s |
ditto | apk add openjdk8 |
3.1s | 4.4s | 3.14s |
ditto | git clone https://github.com/torvalds/linux.git |
6m38s | 10m43s | (crashed quickly) |
emerge
, especially during compiling packagesapk add
, overhead is negligibleapk
/apt
/yum
operationSo, I think this needs user namespaces enabled to work - which in my situation is thus not "fully rootless" - the user needs to convince the admins that this is reasonable (and thus takes time)
Assuming I'm correct, would it be reasonable to mention this in the README?
I'm also wondering if the fork of PRoot is necessary anymore, or if the changes could be merged upstream? @oxr463 ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.