New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gVisor unprivileged user can't access file in rootless mode #9918
Comments
./runsc --rootless maps the current user to the root user inside the sandbox. |
Adding to what @avagin said: so if you remove this part from your config.json:
OR set the user to In your usecase, the sandbox is running in a user namespace with UID/GID mappings like |
From podman docs,
You can not use If you do not want to use podman, you have the following optoins:
|
@ayushr2 Thanks for your explanation. I try to use the first method, as step as follows: install newuidmap, newgidmap
I get error at this point: The gofer is try to call setuid(0,0,0) it will failed. Any ideas? |
@ayushr2 I just do some tests. Just as I said in the previous, the gofer process calls
But as we setup a 1000:1000 userns map, this will cause a invalid argument error. This is reasonable as we are 1000 user in the current user ns so we can't call setuid to 0. I then found a commit I realize this is what I want, 'runsc as a non-root user works'. But I can't make it work. |
Yes, to set up the sandbox, the root user needs to be mapped inside the new user namespace. In 595d424, I had tested it with:
In both cases, the container's root user is mapped, so it works. If you want @avagin Am I missing something? |
Let me look into this. It may be an issue with the function you pointed out ( It should not be necessary to map 2 host users for this. Because Podman etc support this use case. |
Yeah this seems like an issue in runsc. For rootless containers, we currently only support running the non-root user as root inside the container's user namespace. This covers the common usecase. But as a result, Podman features like I tried looking into this a bit. I don't have the bandwidth to pursue this right now. But in case someone else is looking at this, here are some pointers:
|
@ayushr2 your second pointer just remind of that whether the non-root process's child which in a new userns will have all full capability. After reading the doc and do some experiment I found the answer is 'yes'. After test, we also need 'Inheritable' caps.
And it just works!
So could you review this and make a more formal(such as tests) patch. Thanks! |
Awesome! I think I had missed the I think the missing piece is, we need to communicate with |
Description
While in rootless mode, the container UID is the same as the UID of running runsc, in the container we can't access the file belongs to the host UID.
I want to know how to achieve this. So that in rootless mode, the unprivileged user can access the host file with the same UID.
Steps to reproduce
using following OCI spec
`test@test-VirtualBox:~/test$ id
uid=1000(test) gid=1000(test) groups=1000(test),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),135(lxd),136(sambashare)
test@test-VirtualBox:~/test$ ./runsc -rootless -root /home/test -ignore-cgroups --network host run abc
touch /home/test/bb
touch: cannot touch '/home/test/bb': Permission denied
`
`{
}
`
runsc version
No response
docker version (if using docker)
No response
uname
No response
kubectl (if using Kubernetes)
No response
repo state (if built from source)
No response
runsc debug logs (if available)
No response
The text was updated successfully, but these errors were encountered: