Skip to content

Commit b553bc1

Browse files
AkihiroSudaAkihiroSuda
committed
update docs/rootless.md
* Updated an example config to v2 syntax * Updated for shim v2 (relates to containerd#2767) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
1 parent 0d276ec commit b553bc1

File tree

1 file changed

+14
-8
lines changed

1 file changed

+14
-8
lines changed

docs/rootless.md

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,28 +4,33 @@ A non-root user can execute containerd by using [`user_namespaces(7)`](http://ma
44

55
For example [RootlessKit](https://github.com/rootless-containers/rootlesskit) can be used for setting up a user namespace (along with mount namespace and optionally network namespace). Please refer to RootlessKit documentation for further information.
66

7+
See also [Rootless Docker documentation](https://docs.docker.com/engine/security/rootless/).
8+
79
## Daemon
810

911
```console
10-
$ rootlesskit --net=slirp4netns --copy-up=/etc \
12+
$ rootlesskit --net=slirp4netns --copy-up=/etc --copy-up=/run \
1113
--state-dir=/run/user/1001/rootlesskit-containerd \
12-
containerd -c config.toml
14+
sh -c "rm -rf /run/containerd; containerd -c config.toml"
1315
```
1416

1517
* `--net=slirp4netns --copy-up=/etc` is only required when you want to unshare network namespaces
16-
* Depending on the containerd plugin configuration, you may also need to add more `--copy-up` options, e.g. `--copy-up=/run`, which mounts a writable tmpfs on `/run`, with symbolic links to the files under the `/run` on the parent namespace.
18+
* `--copy-up=/DIR` mounts a writable tmpfs on `/DIR` with symbolic links to the files under the `/DIR` on the parent namespace
19+
so that the user can add/remove files under `/DIR` in the mount namespace.
20+
`--copy-up=/etc` and `--copy-up=/run` are needed on typical setup.
21+
Depending on the containerd plugin configuration, you may also need to add more `--copy-up` options.
22+
* `rm -rf /run/containerd` is required for v2 shim as a workaround for [#2767](https://github.com/containerd/containerd/issues/2767).
23+
This command removes the "copied-up" symbolic link to `/run/containerd` on the parent namespace (if exists), which cannot be accessed by non-root users.
24+
The actual `/run/containerd` directory on the host is not affected.
1725
* `--state-dir` is set to a random directory under `/tmp` if unset. RootlessKit writes the PID to a file named `child_pid` under this directory.
1826
* You need to provide `config.toml` with your own path configuration. e.g.
1927
```toml
28+
version = 2
2029
root = "/home/penguin/.local/share/containerd"
2130
state = "/run/user/1001/containerd"
2231

2332
[grpc]
2433
address = "/run/user/1001/containerd/containerd.sock"
25-
26-
[plugins]
27-
[plugins.linux]
28-
runtime_root = "/run/user/1001/containerd/runc"
2934
```
3035

3136
## Client
@@ -39,4 +44,5 @@ $ ctr images pull docker.io/library/ubuntu:latest
3944
$ ctr run -t --rm --fifo-dir /tmp/foo-fifo --cgroup "" docker.io/library/ubuntu:latest foo
4045
```
4146

42-
* `overlayfs` snapshotter does not work inside user namespaces, except on Ubuntu kernel
47+
* `overlayfs` snapshotter does not work inside user namespaces, except on Ubuntu and Debian kernels.
48+
However, [`fuse-overlayfs` snapshotter](https://github.com/AkihiroSuda/containerd-fuse-overlayfs) can be used instead if running kernel >= 4.18.

0 commit comments

Comments
 (0)