Closed tomhjp closed 11 months ago
tomhjp
commented
12 months ago Note: After some offline feedback, this is still a bit of a work in progress. @mickael-hc pointed out the 0o777 folder could be taken over, so I tried to fix that by ensuring it's inside a more limited folder in ce76700, but for some reason that broke the rootless mlock tests.
tomhjp
commented
11 months ago Just pushed some updates that switch from a 0o777 folder to using the DAC_OVERRIDE capability instead. I don't think I'd want to support that for runc, because runc will require that rootlesskit on the host has the capability itself (and it's a very powerful capability), but it seems more reasonable for runsc which doesn't need that because AFAIU it has its own userspace implementation instead of relying on the real underlying kernel.
Support running as non-root container users under rootless container runtimes.
Config.Rootless, which should be used when both the runtime and the container user are running as non-root. It sets up default ACLs on the host socket directory, and gives the container the DAC_OVERRIDE capability to ensure each side can write to the shared Unix socket and folder despite each being owned by one side and the other side being a different user on the host.GRPCBrokerMultiplexingoption to eliminate host-side sockets and reduce the--host-udsflag fromalltocreate, which means no Unix domain sockets from the host will ever be available inside gVisor containers.podmantests for now - they are different enough to be a pain but we don't currently have strong requirements to support podman. It could still get re-added at a later date though.