How to make img work in a container with a non-root user?

[vikas027]

I am able to get things working in a container using with root user but just wondering if there is a way out to make it work with a non root user as well

Here are my files and logs

➜  img-build # cat Dockerfile
FROM alpine:latest

RUN apk add --no-cache libseccomp-dev ca-certificates && \
    apk add --no-cache img --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing
➜  img-build # 

➜  img-build # DOCKER_BUILDKIT=1 docker build -t agent-alpine .                                                                     

➜  img-build # docker run --rm -it --security-opt seccomp=unconfined --security-opt apparmor=unconfined --privileged agent-alpine sh
/ # uname -a
Linux fca3c87f982b 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 Linux
/ # 

/ # img pull hello-world
Pulling hello-world...
Pulled: sha256:1f4ae8b5de7b10aa58bbc7371399db446cad948420f9dfe2d8f2b149aa625f23
Size: 3.429KiB
/ # 

/ # adduser -D -s /bin/sh vikas
/ # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
/ # chmod -v 4755 /usr/bin/newgidmap  /usr/bin/newuidmap
mode of '/usr/bin/newgidmap' changed to 4755 (rwsr-xr-x)
mode of '/usr/bin/newuidmap' changed to 4755 (rwsr-xr-x)
/ # 
/ # su - vikas
a7bfca5a2790:~$ 
a7bfca5a2790:~$ img pull hello-world
newuidmap: write to uid_map failed: Invalid argument
nsenter: failed to use newuidmap: No error information
nsenter: failed to sync with parent: SYNC_USERMAP_ACK: got 255: No error information
a7bfca5a2790:~$ 
a7bfca5a2790:~$ exit
/ # exit
➜  img-build #

[AkihiroSuda]

/etc/subuid and /etc/subgid need to be configured

[vikas027]

/etc/subuid and /etc/subgid need to be configured

Can you pls elaborate a bit? what do you mean by configured here?

[liorokman]

1. You need to have the newuidmap and newgidmap commands available. Depending on your environment, you should install the correct system package. For example, in Debian/Ubuntu, you should install the uidmap package.
2. The newuidmap and newgidmap commands should either be installed setuid, or alternatively you should set the correct file capability on them and make sure that they are NOT installed setuid.
3. Your non-root user should have a corresponding line in /etc/subuid and /etc/subgid. In most distributions this is already handled by the operating system tool to create users. Just check that your non-root user is listed in both these files.
4. Your non-root user must have write privileges where runc expects to be able to write.

I've not been able to get img to work in a container in Kubernetes if the new[ug]id commands were installed setuid. It only works if the files are not setuid and the correct file capabilities are set. So for me, to make img work in a non-privileged Kubernetes container, I need to run the following in my Dockerfile:

RUN chmod u-s /usr/bin/new[gu]idmap && \
    setcap cap_setuid+eip /usr/bin/newuidmap && \
    setcap cap_setgid+eip /usr/bin/newgidmap 
# Give non-root users full control over the runc state folders. In non-container environments - use groups instead of the 777 permission.
RUN mkdir -p /run/runc  && chmod 777 /run/runc

If you're not running img in a container, setting the UID bit should be enough.

[oxr463]

This looks like a good opportunity for a documentation PR :)

[shubydo]

I'm trying to accomplish the same goal with being able to run img in a container as non-root, but have not had any luck.

Any sample Dockerfiles or documentation that someone can point to would be greatly appreciated.

[AkihiroSuda]

The upstream BuildKit is more actively maintained and has detailed documentation for rootless mode: https://github.com/moby/buildkit/blob/master/docs/rootless.md

buildctl-daemonless.sh provides daemonless UX as in img, though the CLI is slightly complicated.