rootless containers with libpod

[lukasheinrich]

/kind feature

Description

Hi, is it possible to run rootless containers using libpod? I did not find a corresponding option in https://github.com/projectatomic/libpod/blob/master/docs/podman-run.1.md.

We're essentially looking for a solution that provides much of the Docker CLI to a unprivileged user on a shared academic cluster, without the user having to worry about low-level runc commands of unpacking the image, preparing the config.json (like we do currently with skopeo, umoci and friends). My understanding is libpod is what we're looking for, but lacks the rootless option.

e.g. a tool that wraps

image building

• via buildah as libpod (modulo rootless builds using buildah buildah#386) or orca-build

container execution

• via rootless runc + https://github.com/AkihiroSuda/runrootless

[giuseppe]

currently not. The biggest issue is to get rootless support in containers/storage. The only driver that could currently work without requiring root access is vfs, and you could probably hack around something if you previously set an user namespace where the current user is mapped to root, and from there attempt to run podman.

I thought of adding a --rootfs option to podman run so that it could re-use an existing rootfs for running a container, this won't solve the "not worry about unpacking the image" part but would be a fairly easy first step to get non privileged users run containers without having to worry of the config.json file

[rhatdan]

I would say this is a long term goal. There is a long term goal of getting Overlay to work with rootless as well. Which I need to follow up on.
@giuseppe We should investigate this more, especially when/if buildah gains this access.
@nalind WDYT?

[mheon]

@giuseppe I'd love to see a way to specify that a Libpod container does not use an image-based root filesystem, and just respect whatever directory the user passes to us. That was an original goal of the library, but it was dropped early on to get things out the door faster.

[lukasheinrich]

Hi @rhatdan thanks. Is there already a place on github or elsewhere, where rootless overlay is discussed / worked on?

As for pointing podman to already unpacked rootfs directories, that's also a nice possibility. This is currently one of the dominant way, for example, that singularity is used where images are distributed in a unpacked form using a globally cached filesystem (CERN VM FileSystem -- CVMFS) -- e.g. https://github.com/opensciencegrid/cvmfs-singularity-sync

[giuseppe]

@lukasheinrich I've hacked something together here: https://github.com/giuseppe/libpod/tree/rootfs

It is incomplete and I am not really happy how the API looks like (the image name arg becomes argv0) and we need to discuss it. Anyway, it is the first step to make it usable with a non privileged user:

# podman run --rm --rootfs /some/where/rootfs echo hello
hello

[mheon]

@giuseppe Suggestion there - instead of patching CreateContainerStore, you'll probably have better luck changing setupStorage/teardownStorage/mount/unmount in container_internal.go to be no-ops if we're creating from a rootfs and not an image.

[rhatdan]

@lukasheinrich Internal emails discussing the steps to make Overlay Safe enough to allow non priv users to mount them. Talked to Eric Biederman and Storage Engineers at Red Hat.

[giuseppe]

I'd like to work on this once userNS support lands in as some of the added code is duplicated to get the userNS part working.

I've some WIP but it requires a change in conmon (the runc-wrapper script is to circumvent this limitation):

https://github.com/giuseppe/libpod/tree/rootfs-rootless

I could do something like:

$ cat /tmp/runc-wrapper
#!/bin/sh
XDG_RUNTIME_DIR=/run/user/$(id -u) /usr/bin/runc $@

$ id -u
1000

$ bin/podman --runtime /tmp/runc-wrapper --root /tmp/container/root --tmpdir /tmp/container/tmpdir run  --network host --rm --rootfs path/to/the/exploded/rootfs  echo hello
hello

EDIT:
the workaround for runc is not needed, I've amended a fix in my WIP that doesn't require it

[rhatdan]

Looks great.

[wking]

The biggest issue is to get rootless support in containers/storage.

The open issue for that is containers/storage#96.

[rhatdan]

#871

[rhatdan]

This is continuing to be worked on, but there is some support, so I am closing this issue.