This simplifies the permissions. If it's run on the home, some distros
make the /home/user dir with just permissions for the owner, but we
need +x permissions for others (technically for host user the container
is mapped to, but that is more tricky in this example).
/tmp has the right permissions already, so let's just do the example
there.
While we are there, I just copied the two commands from the runc doc, to
create the rootfs, instead of linking there. Also, I changed the
config.json to include the right path, now that is known.
Having the path fixed makes sure users can't do a mistake when setting
it. This was the cause of #11575 (they were not setting the rootfs as an
absolute path, as documented).
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
While we are there, bash should not be the process, it should be sh. In
the bare-bone image used in the example, bash is not present (or not
present anymore?).
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
crun 1.4.3 as well as runc 1.1 both support to open bind-mounts before
dropping privileges, as they are inaccessible after switching to the
user namespace. So that is the minimum version to use with containerd
1.7.
Also, since containerd 2.0 we use idmap mounts for files mounted in the
container created by containerd (like etc/hostname, etc/hosts, etc.), so
in that case we require newer OCI runtimes too. However, as the kubelet
doesn't request idmap mounts for kube volumes, we can lower the kernel
version.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
