Investigate running tests via docker:dind-rootless

[fkorotkov]

As an additional container rather then using full fledged Docker Builder VM

Related guide: https://cirrus-ci.org/guide/docker-builds-on-kubernetes/?h=+docker

[edigaryev]

The preliminary results are that it's not possible to run rootless in Docker without a --privileged flag (or without enabling certain capabilities and disabling security confinements):

% docker run -it --rm docker:dind-rootless | tail -n 1
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted

Related RootlessKit issues:

• [rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted rootless-containers/rootlesskit#172
• failed to start the child: fork/exec /proc/self/exe: permission denied rootless-containers/rootlesskit#68

In the Docker's rootless guide the docker:dind-rootless is also started with the --privileged flag, see https://docs.docker.com/engine/security/rootless/#rootless-docker-in-docker.

[edigaryev]

The preliminary results are that it's not possible to run rootless in Docker without a --privileged flag (or without enabling certain capabilities and disabling security confinements)

This seems to be freshly confirmed by the Podman project too: containers/podman#4131 (comment).

[edigaryev]

I'm going to close this one for now because there's no straightforward way ATM to do this without turning off Docker's security features.