search

pdtpartners / nix-snapshotter

Brings native understanding of Nix packages to containerd
MIT License
532 stars 15 forks source link

containerd rootless service fails on Linux Mint with home-manager #106

Open mjmeintjes opened 8 months ago

mjmeintjes commented 8 months ago

Trying to run nix-snapshotter using the home-manager setup from the readme. But the containerd systemd service doesn't start, and gives the following error:

containerd-rootless[316090]: [rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 316098 [0 1000 1 1 100000 65536] failed: : exec: "newuidmap": executable file not found in $PATH
elpdt852 commented 6 months ago

You need to install uidmap: https://rootlesscontaine.rs/getting-started/common/subuid/#newuidmap-and-newgidmap

Let me know if the problem persists, because then I need to figure out to expose the host uidmap binaries into the home-manager service.

mjmeintjes commented 6 months ago

I've since moved to NixOS on that computer, so unfortunately cannot test it out on Linux Mint anymore.

elpdt852 commented 6 months ago

Sounds good, please let us know if you encounter issues on NixOS!

isbecker commented 1 week ago

@elpdt852 I ran into this same issue on Ubuntu 22.04.

I think that the issue is due to the PATH that is used when running containerd-rootless.sh. rootless-kit is looking for newuidmap and can't find it.

So, the path is set in containerd-rootless.nix, which is used in containerd-rootless.sh does not include /usr/bin. That's a problem for systems that need to have the newuidmap installed via their system (i.e. any non-NixOS system).

containerd-rootless-child has a facility for adding to the path.

Now, without making any changes to nix-snapshotter, I got things to work fully, by making some symlinks to the place that the containerd-rootless.sh has on its path.

$ sudo mkdir -p /run/wrappers/bin
$ sudo ln -s /usr/bin/newuidmap /run/wrappers/bin/newuidmap
$ sudo ln -s /usr/bin/newgidmap /run/wrappers/bin/newgidmap

I don't really like this solution, since that /run/wrappers isn't really supposed to exist on Ubuntu, as far as I can tell. What would be better, is to add the cfg.path to the containerd-rootless.sh script's PATH.

      containerd-rootless = makeProg {
        name = "containerd-rootless";
        src = ./containerd-rootless.sh;
        inherit containerdArgs;
        path = lib.makeBinPath [
          containerd-rootless-child
          pkgs.bash
          pkgs.iproute2
          pkgs.libselinux
          pkgs.rootlesskit
          pkgs.slirp4netns
          pkgs.util-linux
          # Need access to newuidmap from "/run/wrappers"
          "/run/wrappers"
        ] ++ cfg.path); # add the path from the config here
      };