-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Going rootless #15
Labels
enhancement
New feature or request
Comments
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi all,
I've experimented a bit with
runc
's rootless containers + additional linux capabilities using sarus. I think rootless containers will get quite popular with the next major release of Docker, and I think it provides the perfect trade-off between flexibility and security. (rootless in this context = dropping privileged setuid before executing the container command)The main reason to look into this is being able to build images inside of a container running in the sarus runtime, which is currently impossible (#10). It's also impossible to run package manager commands like
apt-get [...]
inside of an ubuntu container with sarus currently.To solve these two problems, it seems we need a few Linux capabilities, to be precise:
CAP_CHOWN
,CAP_SETUID
,CAP_SETGID
,CAP_FOWNER
, andCAP_DAC_OVERRIDE
.In the current situation we cannot have those capabilities in sarus because they are too powerful. E.g. a user can chown a root-owned file from a mounted directory to make him/herself owner, and there's probably more issues.
With user namespaces however, this is not an issue anymore. We can drop the
seteuid
andseteguid
privileges right before executing the container command so that the container is executed as the current user, and then use namespaces with a user mapping to map the current user to root inside the container. This solves at least the obvious issues with mounting root-owned files (even when the user has CAP_CHOWN permissions):Another great feature of namespaces is that files created as root inside of a mounted directory are in fact owned by the current user outside of the container.
The only potential issue at the moment seems to be that
cgroups
are not yet handled well with rootless containers, but the runc folks seem to have a workaround using cgroups v2, which is nearly finished.Also note that it seems like a step in the direction of making the sarus not a
setuid
binary. Because we have to mount things, we can probably never entirely get rid of that, but with rootless containers we can at least drop the privileges before executing container commands.I have a working example of everything here: develop...haampie:rootless not too many changes. If you want to compile it, you need to copy some hard-coded values from
/etc/subuid
and/etc/subgid
.With the above I can make sarus do all the things I would wish to do :) e.g.
The text was updated successfully, but these errors were encountered: