dilim/containerd
1
0
Fork 0
mirror of https://github.com/containerd/containerd.git synced 2026-06-24 08:48:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: Run userns example in /tmp

Browse Source 
This simplifies the permissions. If it's run on the home, some distros
make the /home/user dir with just permissions for the owner, but we
need +x permissions for others (technically for host user the container
is mapped to, but that is more tricky in this example).

/tmp has the right permissions already, so let's just do the example
there.

While we are there, I just copied the two commands from the runc doc, to
create the rootfs, instead of linking there. Also, I changed the
config.json to include the right path, now that is known.

Having the path fixed makes sure users can't do a mistake when setting
it. This was the cause of #11575 (they were not setting the rootfs as an
absolute path, as documented).

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This commit is contained in:
Rodrigo Campos
2025-04-24 12:40:17 +02:00
parent 882b1903cc
commit ce73e1b3e9
2 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docs/user-namespaces/README.md
View File

@@ -157,14 +157,32 @@ overlay on / type overlay (rw,relatime,lowerdir=/tmp/ovl-idmapped823885363/0,upp
You can also create a container with user namespaces using `ctr`. This is more low-level, be warned.
Create an OCI bundle as explained [here][runc-bundle]. Then, change the UID/GID to 65536:
Create a directory where we will work:
```sh
mkdir -p /tmp/userns-test
cd /tmp/userns-test
```
Please note that we will need +x permissions to all components in the path to the rootfs (like
`/tmp` and `/tmp/rootfs`). So, it's recommended to do this inside `/tmp`, as that will have the
right permissions.
Create an OCI bundle:
```sh
# create the rootfs directory
mkdir rootfs
# export busybox via Docker into the rootfs directory
docker export $(docker create busybox) | tar -C rootfs -xvf -
# adjust the permissions
sudo chown -R 65536:65536 rootfs/
```
Copy [this config.json](./config.json) and replace `XXX-path-to-rootfs` with the
**absolute path** to the rootfs you just chowned.
Copy [this config.json](./config.json) to `/tmp/userns-test`. Please note the process.root.path
field in the config.json it's pointing to the rootfs we just created. This **needs to be an
absolute path**.
Then create and start the container with:
@@ -182,5 +200,3 @@ root@runc:/# cat /proc/self/uid_map
```
The output should be exactly the same.
[runc-bundle]: https://github.com/opencontainers/runc#creating-an-oci-bundle

2
docs/user-namespaces/config.json
View File

@@ -51,7 +51,7 @@
"noNewPrivileges": true
},
"root": {
"path": "XXX-path-to-rootfs"
"path": "/tmp/userns-test/rootfs"
},
"hostname": "runc",
"mounts": [