Closed tomhjp closed 11 months ago
Note: After some offline feedback, this is still a bit of a work in progress. @mickael-hc pointed out the 0o777 folder could be taken over, so I tried to fix that by ensuring it's inside a more limited folder in ce76700, but for some reason that broke the rootless mlock tests.
Just pushed some updates that switch from a 0o777 folder to using the DAC_OVERRIDE capability instead. I don't think I'd want to support that for runc
, because runc
will require that rootlesskit
on the host has the capability itself (and it's a very powerful capability), but it seems more reasonable for runsc
which doesn't need that because AFAIU it has its own userspace implementation instead of relying on the real underlying kernel.
Support running as non-root container users under rootless container runtimes.
Config.Rootless
, which should be used when both the runtime and the container user are running as non-root. It sets up default ACLs on the host socket directory, and gives the container the DAC_OVERRIDE capability to ensure each side can write to the shared Unix socket and folder despite each being owned by one side and the other side being a different user on the host.GRPCBrokerMultiplexing
option to eliminate host-side sockets and reduce the--host-uds
flag fromall
tocreate
, which means no Unix domain sockets from the host will ever be available inside gVisor containers.podman
tests for now - they are different enough to be a pain but we don't currently have strong requirements to support podman. It could still get re-added at a later date though.