Open DekusDenial opened 7 months ago
utam0k
commented
7 months ago π Hi, @saschagrunert and @giuseppe. Is there currently any reference or something on running Podman within pods without privileged:true?
We have started the project to run fuse without requiring privileges within pods. It seems like it would be worthwhile to use this project to run fuse-overlayfs to run rootless podman.
utam0k
commented
7 months ago FYI: We need to take the rootless network and some system calls(mount(2)) into consideration.
naoki9911
commented
7 months ago It seems fuse-overlayfs calls low-level api fuse_session_mount and it calls fusermount3 in fuse_kern_mount.
https://github.com/containers/fuse-overlayfs/blob/18f4d6768ab2178f0147c1bac0ccfd7d44841a56/main.c#L5883C7-L5883C25
https://github.com/libfuse/libfuse/blob/3f6cf537b77597d89bebd8387e93d4e42428b966/lib/fuse_lowlevel.c#L3179
I think this plugin can mount fuse-overlayfs, but its mount destination is statically defined in pod's manifest. AFAIK, Podman requires fuse-overlayfs to be mounted to each container's directory and the directories are dynamically specified. Current meta-fuse-csi-plugin cannot handle such dynamic behavior.
giuseppe
commented
7 months ago π Hi, @saschagrunert and @giuseppe. Is there currently any reference or something on running Podman within pods without
privileged:true? We have started the project to run fuse without requiring privileges within pods. It seems like it would be worthwhile to use this project to runfuse-overlayfsto run rootless podman.
in this case you'd need to be able to create a user namespace. Podman can run in a pod without privileges as long as /proc is unmasked and it can create a user namespace. Without an unmasked /proc it is only able to build container images with --isolation=chroot)
utam0k
commented
7 months ago π I didn't know --isolation=chroot. Thanks ;)
Without an unmasked /proc it is only able to build container images with --isolation=chroot)
Having read about different ways of operating podman in various environments, it certainly feels like getting this CSI project to work with podman in unprivileged container in kubernetes would be a very interesting and strong use case which will benefit many.
The challenge ahead may be getting the fusermount proxy to somehow βworkβ with fuse-overlayfs when podman is configured to use overlay as the storage driver. And currently without granting SYS_ADMIN rootful podman simply does not work in a unprivileged container in a kubernetes pod.