github.com/opencontainers/umoci@v0.4.8-0.20240508124516-656e4836fb0d/doc/site/quick-start/rootless.md

github.com/opencontainers/umoci@v0.4.8-0.20240508124516-656e4836fb0d/doc/site/quick-start/rootless.md (about)

     1  +++
     2  title = "Rootless Containers"
     3  weight = 50
     4  +++
     5  
     6  umoci has first class support for [rootless containers][rootlesscontaine.rs],
     7  and in particular it supports rootless unpacking. This means that an
     8  unprivileged user can unpack and repack and image (which is not traditionally
     9  possible for most images), as well as generate a runtime configuration that can
    10  be used by runc to start a rootless container.
    11  
    12  {{% notice info %}}
    13  It should noted that the root filesystem created as an unprivileged user will
    14  likely not match the root filesystem that a privileged user would create. The
    15  reason for this is that there are a set of security restrictions imposed by the
    16  operating system that stop us from creating certain device inodes and set-uid
    17  binaries. umoci will do its best to try to emulate the correct behaviour, and
    18  the runtime configuration generated will further try to emulate the correct
    19  behaviour. umoci also supports the `user.rootlesscontainers` specification,
    20  which allows for further emulation of things like `chown(2)` inside rootless
    21  containers using tools like [`PRoot`][as-proot].
    22  
    23  [as-proot]: https://github.com/AkihiroSuda/runrootless
    24  {{% /notice %}}
    25  
    26  ```text
    27  % id -u
    28  1000
    29  % umoci unpack --rootless --image opensuse:42.2 bundle
    30     • rootless{usr/bin/ping} ignoring (usually) harmless EPERM on setxattr "security.capability"
    31     • rootless{usr/bin/ping6} ignoring (usually) harmless EPERM on setxattr "security.capability"
    32  % runc run -b bundle rootless-ctr
    33  bash-4.3# whoami
    34  root
    35  bash-4.3# tee /hostname </proc/sys/kernel/hostname
    36  mrsdalloway
    37  % umoci repack --image opensuse:new bundle
    38  ```
    39  
    40  {{% notice tip %}}
    41  The above warnings can be safely ignored, they are caused by umoci not having
    42  sufficient privileges in this context. They are output purely to ensure that
    43  users are aware that the root filesystem they get might not be precisely the
    44  same as the one they'd get if they extracted it as a privileged user.
    45  {{% /notice %}}
    46  
    47  [rootlesscontaine.rs]: https://rootlesscontaine.rs/