Created
January 7, 2018 15:45
-
-
Save frezbo/2c8a5a28709655c68349f193a307235e to your computer and use it in GitHub Desktop.
Trying to use runc in rootless mode without CAP_SYSADMIN
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Dockerfile, first try | |
| # from https://gist.github.com/frezbo/97925f04c823079f7ea0903d6a528caa | |
| # Dockerfile.first | |
| # This works | |
| curl -SLo Dockerfile.first https://gist.githubusercontent.com/frezbo/97925f04c823079f7ea0903d6a528caa/raw/5b669ce089c3f3bebdd7d7d612bd07aa299b82ab/Dockerfile.first | |
| docker build -t test:first -f Dockerfile.first . | |
| # This workss | |
| docker run --rm -it --cap-add SYS_ADMIN test:first bash | |
| # in docker container | |
| mkdir -p /mnt/proc | |
| mount -t proc proc /mnt/proc | |
| su-exec test runc spec --rootless -b /opt/runner/ | |
| su-exec test runc --root /tmp/runc run --no-pivot --no-new-keyring -b /opt/runner/ test | |
| # in runc container | |
| # This does not work | |
| docker run --rm -it test:first bash | |
| # in docker container | |
| su-exec test runc spec --rootless -b /opt/runner/ | |
| su-exec test runc --root /tmp/runc run --no-pivot --no-new-keyring -b /opt/runner/ test | |
| # throws this error | |
| # container_linux.go:296: starting container process caused "process_linux.go:398: container init caused \"rootfs_linux.go:58: mounting \\\"proc\\\" to rootfs \\\"/opt/runner/rootfs\\\" at \\\"/proc\\\" caused \\\"operation not permitted\\\"\" | |
| # the intention being able to runc in rootlesss mode inside a container, any solutions or suggestions welcomed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment