search

aurae-runtime / aurae

Distributed systems runtime daemon written in Rust.
https://aurae.io
Apache License 2.0
1.85k stars 90 forks source link

Rootless support #245

Closed dsseng closed 3 months ago

dsseng commented 1 year ago

I see #52 is open for networking in rootless mode. However, it's not yet clear in docs how to run anything at all in rootless mode. I believe the bare minimum would be systemd-run --user --property=Delegate=true ./target/debug/auraed ..., but that doesn't really help (cell 'my-cell' could not be allocated: Operation not permitted (os error 1)). The origin of error is unclear, but likely to be in cgroup creation.

OS: Fedora 37, SELinux: enforcing, running systemd with cgroupv2.

AuraeScript code ran:

import * as runtime from "./auraescript/gen/runtime.ts"

let cells = new runtime.CellServiceClient();

let allocated = await cells.allocate(<runtime.AllocateCellRequest>{
    cell: runtime.Cell.fromPartial({
        name: "my-cell",
        cpus: "2"
    })
});

let started = await cells.start(<runtime.StartExecutableRequest>{
    executable: runtime.Executable.fromPartial({
        cellName: "my-cell",
        command: "sleep 4000",
        description: "Sleep for 4000 seconds",
        name: "sleep-4000"
    })
})

Sorry if something is very wrong on my side: I've only started working with Aurae, but very excited to start working with it, maybe contributing some code.

krisnova commented 1 year ago

This is great! Thanks for bringing this up. We still have a lot of work to do with rootless mode. Currently allocating cells require privileged mode with Aurae however we are working towards Aurae being the daemon and the clients being able to schedule network devices without privilege.

For example if you run 

sudo -E auraed

you will be able to execute AuraeScript against the daemon and it should work.

In the future we will allow that same AuraeScript (or any client) to be able to schedule networks and interfaces without root privileges. Hope this helps.

dsseng commented 1 year ago

I'll be happy to work on this, thanks for explaining

dsseng commented 1 year ago

Now it says cell 'my-cell' could not be allocated: File not found: /proc/0. Also, if I Ctrl-C the auraed process, it leaves cgroups behind requiring me to rmdir them manually.

dmah42 commented 4 months ago

i believe the end state we want to get to is:

  1. auraed runs from systemd, as a user that has permission to create and destroy cgroups (v2).
  2. clients (auraescript, ae, aer, etc) connect to auraed over gRPC and can run as any regular user.

i don't think we're very far from this today, though we don't have systemd configs set up.

bpmooch commented 3 months ago

That would not be rootless, but potentially that is not a critical feature for now? worth closing imo

dmah42 commented 3 months ago

at the moment there's no support for running auraed without root, or at least without a user with permission to create cgroups and maybe more.

so I think this issue is not an unknown issue, so I will close it.