Skip to content

Commit 41fc516

Browse files
AkihiroSudaAkihiroSuda
committed
docs/rootless.md: recommend "easy way" over "hard way"
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
1 parent 5c6ea7f commit 41fc516

File tree

1 file changed

+29
-7
lines changed

1 file changed

+29
-7
lines changed

docs/rootless.md

Lines changed: 29 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,27 @@ A non-root user can execute containerd by using [`user_namespaces(7)`](http://ma
44

55
For example [RootlessKit](https://github.com/rootless-containers/rootlesskit) can be used for setting up a user namespace (along with mount namespace and optionally network namespace). Please refer to RootlessKit documentation for further information.
66

7-
See also [Rootless Docker documentation](https://docs.docker.com/engine/security/rootless/).
7+
See also https://rootlesscontaine.rs/ .
88

9-
## Daemon
9+
## "Easy way"
10+
11+
The easiest way is to use `containerd-rootless-setuptool.sh` included in [containerd/nerdctl](https://github.com/containerd/nerdctl).
12+
13+
```console
14+
$ containerd-rootless-setuptool.sh install
15+
$ nerdctl run -d --restart=always --name nginx -p 8080:80 nginx:alpine
16+
```
17+
18+
See https://github.com/containerd/nerdctl/blob/master/docs/rootless.md for the further information.
19+
20+
## "Hard way"
21+
22+
<details>
23+
<summary>Click here to show the "hard way"</summary>
24+
25+
<p>
26+
27+
### Daemon
1028

1129
```console
1230
$ rootlesskit --net=slirp4netns --copy-up=/etc --copy-up=/run \
@@ -15,7 +33,7 @@ $ rootlesskit --net=slirp4netns --copy-up=/etc --copy-up=/run \
1533
```
1634

1735
* `--net=slirp4netns --copy-up=/etc` is only required when you want to unshare network namespaces.
18-
See [RootlessKit documentation](https://github.com/rootless-containers/rootlesskit/tree/v0.10.0#network-drivers) for the further information about the network drivers.
36+
See [RootlessKit documentation](https://github.com/rootless-containers/rootlesskit/blob/v0.14.1/docs/network.md) for the further information about the network drivers.
1937
* `--copy-up=/DIR` mounts a writable tmpfs on `/DIR` with symbolic links to the files under the `/DIR` on the parent namespace
2038
so that the user can add/remove files under `/DIR` in the mount namespace.
2139
`--copy-up=/etc` and `--copy-up=/run` are needed on typical setup.
@@ -33,7 +51,7 @@ state = "/run/user/1001/containerd"
3351
address = "/run/user/1001/containerd/containerd.sock"
3452
```
3553

36-
## Client
54+
### Client
3755

3856
A client program such as `ctr` also needs to be executed inside the daemon namespaces.
3957
```console
@@ -44,7 +62,11 @@ $ ctr images pull docker.io/library/ubuntu:latest
4462
$ ctr run -t --rm --fifo-dir /tmp/foo-fifo --cgroup "" docker.io/library/ubuntu:latest foo
4563
```
4664

47-
* `overlayfs` snapshotter does not work inside user namespaces, except on Ubuntu and Debian kernels.
48-
However, [`fuse-overlayfs` snapshotter](https://github.com/AkihiroSuda/containerd-fuse-overlayfs) can be used instead if running kernel >= 4.18.
65+
* The `overlayfs` snapshotter does not work inside user namespaces before kernel 5.11, except on Ubuntu and Debian kernels.
66+
However, [`fuse-overlayfs` snapshotter](https://github.com/containerd/fuse-overlayfs-snapshotter) can be used instead if running kernel >= 4.18.
4967
* Enabling cgroup requires cgroup v2 and systemd, e.g. `ctr run --cgroup "user.slice:foo:bar" --runc-systemd-cgroup ...` .
50-
See also [runc documentation](https://github.com/opencontainers/runc/blob/v1.0.0-rc92/docs/cgroup-v2.md).
68+
See also [runc documentation](https://github.com/opencontainers/runc/blob/v1.0.0-rc93/docs/cgroup-v2.md).
69+
70+
71+
</p>
72+
</details>

0 commit comments

Comments
 (0)