Open vikas027 opened 4 years ago
/etc/subuid and /etc/subgid need to be configured
/etc/subuid and /etc/subgid need to be configured
Can you pls elaborate a bit? what do you mean by configured here?
newuidmap
and newgidmap
commands available. Depending on your environment, you should install the correct system package. For example, in Debian/Ubuntu, you should install the uidmap
package.newuidmap
and newgidmap
commands should either be installed setuid, or alternatively you should set the correct file capability on them and make sure that they are NOT installed setuid./etc/subuid
and /etc/subgid
. In most distributions this is already handled by the operating system tool to create users. Just check that your non-root user is listed in both these files.runc
expects to be able to write.I've not been able to get img
to work in a container in Kubernetes if the new[ug]id
commands were installed setuid. It only works if the files are not setuid and the correct file capabilities are set. So for me, to make img
work in a non-privileged Kubernetes container, I need to run the following in my Dockerfile:
RUN chmod u-s /usr/bin/new[gu]idmap && \
setcap cap_setuid+eip /usr/bin/newuidmap && \
setcap cap_setgid+eip /usr/bin/newgidmap
# Give non-root users full control over the runc state folders. In non-container environments - use groups instead of the 777 permission.
RUN mkdir -p /run/runc && chmod 777 /run/runc
If you're not running img
in a container, setting the UID bit should be enough.
This looks like a good opportunity for a documentation PR :)
I'm trying to accomplish the same goal with being able to run img
in a container as non-root, but have not had any luck.
Any sample Dockerfiles or documentation that someone can point to would be greatly appreciated.
The upstream BuildKit is more actively maintained and has detailed documentation for rootless mode: https://github.com/moby/buildkit/blob/master/docs/rootless.md
buildctl-daemonless.sh
provides daemonless UX as in img, though the CLI is slightly complicated.
I am able to get things working in a container using with
root
user but just wondering if there is a way out to make it work with a nonroot
user as wellHere are my files and logs