search

rootless-containers / usernetes

Kubernetes without the root privileges
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
Apache License 2.0
865 stars 58 forks source link

improv: Use PrivateMounts for rootlesskit service #215

Closed maybe-sybr closed 3 years ago

maybe-sybr commented 3 years ago

This change allows rootlesskit to run slirp4netns with its sandbox enabled even when running as root. Without this change, when running as root, slirp will fail to pivot_root() into its /tmp directory since the current mount namespace isn't private.

maybe-sybr commented 3 years ago

This change doesn't seem to cause any issues from my smoke testing running as both root and rootless users. I've been adding this to the u7s-rootlesskit.service file for both 20210201 and 20210303 starting today.

AkihiroSuda commented 3 years ago

Why do you run as root?

maybe-sybr commented 3 years ago

Why do you run as root?

For thrills? I've just been exploring deploying some of my systems in different environments to test their tolerance and this minor issue popped up.

AkihiroSuda commented 3 years ago

Sorry, running as the root is out of the scope of this project. Also, using private mounts will break mounting hostPaths.

maybe-sybr commented 3 years ago

Sure thing, I'm happy to close this then. Thanks for the feedback!