- Create Pod config json file with privileged set as true in the
security_context. Without a priveged pod, containerd does not allow a privileged container to be run in the sandbox.
{
"metadata": {
"name": "priv-sandbox",
"namespace": "default",
"uid": "0"
},
"log_directory": "/tmp",
"linux": {
"security_context": {
"privileged": true
}
}
}
- Create container json:
cat privileged_container.json
{
"metadata": {
"name": "privileged-container",
"namespace": "default"
},
"image": {
"image": "busybox"
},
"command": [
"sh",
"-c",
"sleep 3600"
],
"mounts": [],
"log_path": "privileged-container.log",
"linux": {
"security_context": {
"privileged": true
}
}
}
- Run Pod Sandbox with crictl. Pass the runtime to be used.
POD_ID=$(sudo crictl runp --runtime=kata-qemu pod-config.json)
The above should create a privilged sandbox. If privileged_without_host_devices is set in the containerd config file,
the privileged sandbox will be created without passing all host devices.
You can inspect the pod with
sudo crictl inspectp priv-sandbox
You can verify that the kata shim and hypervisor are running at this point with ps aux | grep kata.
- Create the container inside the pod and start it:
CONTAINER_ID=$(sudo crictl create $POD_ID privileged_container.json pod-config.json)
sudo crictl start $CONTAINER_ID
sudo crictl ps
If the busybox image is not present on the system, you may need to pull the image with sudo crictl pull busybox.
If you get any errors with this step, make sure your crictl config looks like this:
sudo cat /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 2
debug: true
- Stop the container and pod with :
sudo crictl stop $CONTAINER_ID
sudo crictl stopp $POD_ID
sudo crictl rmp $POD_ID