when I installed containerd with root user i can't run nerdctl with non-root user in a rootless mode (`fork/exec /opt/cni/bin/bridge: permission denied`)

[israeldahan]

Description

I installed Containerd and CNI as a root user and when i install nerdctl with a user he's not participate in a root group i'm receive this error nerdctl run hello-world FATA[0000] failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error running hook #0: error running hook: exit status 1, stdout: , stderr: time="2024-04-15T16:02:51+03:00" level=fatal msg="failed to call cni.Setup: plugin type=\"bridge\" failed (add): netplugin failed with no error message: fork/exec /opt/cni/bin/bridge: permission denied" Failed to write to log, write /home/shalea2/.local/share/nerdctl/1935db59/containers/default/7d19f6a0f68a0210719d5d14b631a70738de69af0776f741fd18eb576a7f4588/oci-hook.createRuntime.log: file already closed: unknown

and this is log of install as a rootless mode:

`./containerd-rootless-setuptool.sh install [INFO] Checking RootlessKit functionality [INFO] Checking cgroup v2 [WARNING] Enabling cgroup v2 is highly recommended, see https://rootlesscontaine.rs/getting-started/common/cgroup2/ [INFO] Checking overlayfs [INFO] Requirements are satisfied [INFO] Creating "/home/shalea2/.config/systemd/user/containerd.service" [INFO] Starting systemd unit "containerd.service"

• systemctl --user start containerd.service
• sleep 3
• systemctl --user --no-pager --full status containerd.service ● containerd.service - containerd (Rootless) Loaded: loaded (/home/shalea2/.config/systemd/user/containerd.service; disabled; vendor preset: enabled) Active: active (running) since Mon 2024-04-15 16:15:12 IDT; 3s ago Main PID: 2972668 (rootlesskit) CGroup: /user.slice/user-1022.slice/user@1022.service/app.slice/containerd.service ├─2972668 rootlesskit --state-dir=/run/user/1022/containerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --copy-up=/var/lib --propagation=rslave /usr/local/bin/containerd-rootless.sh ├─2972680 /proc/self/exe --state-dir=/run/user/1022/containerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --copy-up=/var/lib --propagation=rslave /usr/local/bin/containerd-rootless.sh ├─2972699 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 2972680 tap0 └─2972707 containerd

Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.910830407+03:00" level=error msg="failed to initialize a tracing processor \"otlp\"" error="no OpenTelemetry endpoint: skip plugin" Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.910904697+03:00" level=info msg="loading plugin \"io.containerd.grpc.v1.cri\"..." type=io.containerd.grpc.v1 Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911044890+03:00" level=info msg="Start cri plugin with config {PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc DefaultRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0} UntrustedWorkloadRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0} Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[BinaryName: CriuImagePath: CriuPath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false NoPivotRoot:false Root: ShimCgroup: SystemdCgroup:false] PrivilegedWithoutHostDevices:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0}] NoPivot:false DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.6 StatsCollectPeriod:10 SystemdCgroup:false EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:false EnableUnprivilegedICMP:false} ContainerdRootDir:/var/lib/containerd ContainerdEndpoint:/run/containerd/containerd.sock RootDir:/var/lib/containerd/io.containerd.grpc.v1.cri StateDir:/run/containerd/io.containerd.grpc.v1.cri}" Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911107918+03:00" level=info msg="Connect containerd service" Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911170646+03:00" level=info msg="Get image filesystem path \"/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs\"" Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911186696+03:00" level=warning msg="Running containerd in a user namespace typically requires disable_cgroup, disable_apparmor, restrict_oom_score_adj set to be true" Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911623495+03:00" level=warning msg="failed to load plugin io.containerd.grpc.v1.cri" error="failed to create CRI service: failed to create cni conf monitor for default: failed to create cni conf dir=/etc/cni/net.d for watch: mkdir /etc/cni/net.d: permission denied" Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911877722+03:00" level=info msg=serving... address=/run/containerd/containerd.sock.ttrpc Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.911973762+03:00" level=info msg=serving... address=/run/containerd/containerd.sock Apr 15 16:15:12 magicuser containerd-rootless.sh[2972707]: time="2024-04-15T16:15:12.912005602+03:00" level=info msg="containerd successfully booted in 0.036624s"

• systemctl --user enable containerd.service Created symlink /home/shalea2/.config/systemd/user/default.target.wants/containerd.service → /home/shalea2/.config/systemd/user/containerd.service. [INFO] Installed "containerd.service" successfully. [INFO] To control "containerd.service", run: systemctl --user (start|stop|restart) containerd.service [INFO] To run "containerd.service" on system startup automatically, run: sudo loginctl enable-linger shalea2 [INFO] ------------------------------------------------------------------------------------------ [INFO] Use nerdctl to connect to the rootless containerd. [INFO] You do NOT need to specify $CONTAINERD_ADDRESS explicitly.`

when i add the user to the root group it pass successfully

Steps to reproduce the issue

1. 2. 3.

Describe the results you received and expected

to install containerd and cni with root and nerdctl in all users as a rootless mode

What version of nerdctl are you using?

nerdctl version
WARN[0000] unable to determine buildctl version: exec: "buildctl": executable file not found in $PATH 
Client:
 Version:   v2.0.0-beta.4
 OS/Arch:   linux/amd64
 Git commit:    eb25c21acc3ec49ee4a9ab4e848611726ecaad20
 buildctl:
  Version:  

Server:
 containerd:
  Version:  1.6.21
  GitCommit:    3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:  1.1.7
  GitCommit:    v1.1.7-0-g860f061

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

nerdctl version Client: Version: v1.7.4 OS/Arch: linux/amd64 Git commit: 7b5f7e0d8f705ed4e54f7040512327e231433366 buildctl: Version: v0.13.1 GitCommit: 2ae42e0c0c793d7d66b7a23424af6fd6c2f9c8f3

Server: containerd: Version: 1.6.21 GitCommit: 3dce8eb055cbb6872793272b4f20ed16117344f8 runc: Version: 1.1.7 GitCommit: v1.1.7-0-g860f061

nerdctl info Client: Namespace: default Debug Mode: false

Server: Server Version: 1.6.21 Storage Driver: overlayfs Logging Driver: json-file Cgroup Driver: none Cgroup Version: 1 Plugins: Log: fluentd journald json-file syslog Storage: native overlayfs Security Options: apparmor seccomp Profile: builtin rootless Kernel Version: 5.15.0-97-generic Operating System: Ubuntu 22.04.4 LTS OSType: linux Architecture: x86_64 CPUs: 96 Total Memory: 503.5GiB Name: magicuser ID: 3f55e019-d45e-430b-9327-868d61749cfe

WARNING: Running in rootless-mode without cgroups. To enable cgroups in rootless-mode, you need to boot the system in cgroup v2 mode.

[fahedouch]

./containerd-rootless-setuptool.sh install => containerd setup Needs to be executed as a non-root user

[AkihiroSuda]

Make sure that /opt/cni/bin/bridge has +x permission

[israeldahan]

./containerd-rootless-setuptool.sh install => containerd setup Needs to be executed as a non-root user

yap, i run the script from the non-root user.

Make sure that /opt/cni/bin/bridge has +x permission

it has a +x permission.

because the /opt/cni/bin/bridge is owned by the root user and group. it's cause the error if nerdctl run by user do not part of root group.

[Shubhranshu153]

if we do a ls -l on /opt/cni/bin what does it show?

[apostasie]

if we do a ls -l on /opt/cni/bin what does it show?

@israeldahan could you try the above? Thanks!