enable running rootless podman inside a pod

[TomasTomecek]

We would like to run rootless podman containers inside openshift pods so that we can take advantage of openshift's scheduling superpowers and have access to a root environment (via user namespacing) from a pod.

We are tracking podman work for this in here: containers/podman#1092

In the current iteration, the blocker is that openshift is dropping cap_set_{uid,gid} capabilities which podman needs to construct a user namespace.

What would be the best way to solve this issue? Can a solution for this land in the default SCC?

Version

oc v3.11.0+0cbc58b
kubernetes v1.10.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Steps To Reproduce

https://github.com/TomasTomecek/rootless-podman-in-openshift

[cgwalters]

See also containers/bubblewrap#284

For Kubernetes/OpenShift this also blocks on user namespaces kubernetes/enhancements#127

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[jamescassell]

Fixed, or no longer desired?

[TomasTomecek]

I'm no longer interested in this so I closed. Feel free to open a new one. (I think that it could possibly work with --isolation chroot)