search

genuinetools / riddler

A tool to convert docker inspect to the opencontainers runc spec.
MIT License
253 stars 21 forks source link

always sets up userns mappings #7

Closed justincormack closed 8 years ago

justincormack commented 8 years ago

riddler seems to always output userns mappings, even though I don't have user namespaces enabled right now. Then I cannot run the config as it complains about this...

jessfraz commented 8 years ago

Hmmm ya that was kinda a Jess "feature" but open to removing it

On Wednesday, July 13, 2016, Justin Cormack notifications@github.com wrote:

riddler seems to always output userns mappings, even though I don't have user namespaces enabled right now.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jfrazelle/riddler/issues/7, or mute the thread https://github.com/notifications/unsubscribe/ABYNbBy3VdVTCzfpsfuUG8R82beqmg0cks5qVSVZgaJpZM4JLrSn .

Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

estesp commented 8 years ago

but of course! :) ok, more seriously--you mean you are running a kernel w/no userns support?

estesp commented 8 years ago

now that there are flags for idlen/idroot, could possibly use their "unset" state as a way to determine not to configure userns?

justincormack commented 8 years ago

No, I have support, actually I was getting some other issues and noticed (permission denied creating device nodes from containerd, which was odd).

justincormack commented 8 years ago

(I just assumed it would copy my docker state, which happens to be running without userns)

estesp commented 8 years ago

Maybe I love riddler because it believed in a future state where everyone loved user namespaces =)

But, yes, after copying the docker state, in the case of userns it was being setup by default irregardless of Docker daemon config; and definitely mknod will fail for user namespace'd processes (not related to Docker/containerd/runc)

justincormack commented 8 years ago

completely unprivileged containers running as a non root user are strictly more secure than user namespaces!

justincormack commented 8 years ago

@estesp BTW see you in London next week!

estesp commented 8 years ago

@justincormack great! now I have to really prepare if the experts are going to show up :)