github.com/lalkh/containerd@v1.4.3/docs/rootless.md

github.com/lalkh/containerd@v1.4.3/docs/rootless.md (about)

     1  # Running containerd as a non-root user
     2  
     3  A non-root user can execute containerd by using [`user_namespaces(7)`](http://man7.org/linux/man-pages/man7/user_namespaces.7.html).
     4  
     5  For example [RootlessKit](https://github.com/rootless-containers/rootlesskit) can be used for setting up a user namespace (along with mount namespace and optionally network namespace). Please refer to RootlessKit documentation for further information.
     6  
     7  See also [Rootless Docker documentation](https://docs.docker.com/engine/security/rootless/).
     8  
     9  ## Daemon
    10  
    11  ```console
    12  $ rootlesskit --net=slirp4netns --copy-up=/etc --copy-up=/run \
    13    --state-dir=/run/user/1001/rootlesskit-containerd \
    14    sh -c "rm -f /run/containerd; exec containerd -c config.toml"
    15  ```
    16  
    17  * `--net=slirp4netns --copy-up=/etc` is only required when you want to unshare network namespaces.
    18    See [RootlessKit documentation](https://github.com/rootless-containers/rootlesskit/tree/v0.10.0#network-drivers) for the further information about the network drivers.
    19  * `--copy-up=/DIR` mounts a writable tmpfs on `/DIR` with symbolic links to the files under the `/DIR` on the parent namespace
    20    so that the user can add/remove files under `/DIR` in the mount namespace.
    21    `--copy-up=/etc` and `--copy-up=/run` are needed on typical setup.
    22    Depending on the containerd plugin configuration, you may also need to add more `--copy-up` options.
    23  * `rm -f /run/containerd` removes the "copied-up" symbolic link to `/run/containerd` on the parent namespace (if exists), which cannot be accessed by non-root users.
    24    The actual `/run/containerd` directory on the host is not affected.
    25  * `--state-dir` is set to a random directory under `/tmp` if unset. RootlessKit writes the PID to a file named `child_pid` under this directory.
    26  * You need to provide `config.toml` with your own path configuration. e.g.
    27  ```toml
    28  version = 2
    29  root = "/home/penguin/.local/share/containerd"
    30  state = "/run/user/1001/containerd"
    31  
    32  [grpc]
    33    address = "/run/user/1001/containerd/containerd.sock"
    34  ```
    35  
    36  ## Client
    37  
    38  A client program such as `ctr` also needs to be executed inside the daemon namespaces.
    39  ```console
    40  $ nsenter -U --preserve-credentials -m -n -t $(cat /run/user/1001/rootlesskit-containerd/child_pid)
    41  $ export CONTAINERD_ADDRESS=/run/user/1001/containerd/containerd.sock
    42  $ export CONTAINERD_SNAPSHOTTER=native
    43  $ ctr images pull docker.io/library/ubuntu:latest
    44  $ ctr run -t --rm --fifo-dir /tmp/foo-fifo --cgroup "" docker.io/library/ubuntu:latest foo
    45  ```
    46  
    47  * `overlayfs` snapshotter does not work inside user namespaces, except on Ubuntu and Debian kernels.
    48    However, [`fuse-overlayfs` snapshotter](https://github.com/AkihiroSuda/containerd-fuse-overlayfs) can be used instead if running kernel >= 4.18.
    49  * Enabling cgroup requires cgroup v2 and systemd, e.g. `ctr run --cgroup "user.slice:foo:bar" --runc-systemd-cgroup ...` .
    50    See also [runc documentation](https://github.com/opencontainers/runc/blob/v1.0.0-rc92/docs/cgroup-v2.md).