GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → rootless-containers → runrootless

rootless-containers / runrootless

Licence: Apache-2.0 License
rootless OCI container runtime with ptrace hacks (No root privileges nor SUID binaries (e.g. newuidmap) are required!)

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects

Labels

ociptraceruncrootless-containersrootless

Projects that are alternatives of or similar to runrootless

ctnr
rootless runc-based container engine - deprecated in favour of podman
Stars: ✭ 30 (-73.68%)
Mutual labels:  oci, runc, rootless-containers, rootless
podman-static
static podman binaries and container image
Stars: ✭ 108 (-5.26%)
Mutual labels:  runc, rootless-containers
Cri O
Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
Stars: ✭ 3,758 (+3196.49%)
Mutual labels:  oci, runc
Img
Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.
Stars: ✭ 3,512 (+2980.7%)
Mutual labels:  runc, rootless
Runtime Spec
OCI Runtime Specification
Stars: ✭ 2,316 (+1931.58%)
Mutual labels:  oci, runc
project-template
Template Files for New OCI Projects
Stars: ✭ 14 (-87.72%)
Mutual labels:  oci, runc
microk8s-kata-containers
Kata Containers with MicroK8s
Stars: ✭ 32 (-71.93%)
Mutual labels:  oci, runc
Cloud-Service-Providers-Free-Tier-Overview
Comparing the free tier offers of the major cloud providers like AWS, Azure, GCP, Oracle etc.
Stars: ✭ 226 (+98.25%)
Mutual labels:  oci
OCI-Rest-APIs-nodejs
Oracle Cloud Infrastructure REST APIs implemented in node.js, with current support for Database and limited Object Storage. More will be added.
Stars: ✭ 18 (-84.21%)
Mutual labels:  oci
terraform-oci-vcn
A reusable and extensible Terraform module that provisions a VCN on Oracle Cloud Infrastructure
Stars: ✭ 22 (-80.7%)
Mutual labels:  oci
sysbox-ee
Sysbox Enterprise-Edition repository. The enterprise version of the open-source Sysbox "runc" runtime (empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs).
Stars: ✭ 42 (-63.16%)
Mutual labels:  rootless-containers
istio
istio offical suppport for arm64 will land since v1.15
Stars: ✭ 168 (+47.37%)
Mutual labels:  oci
rkorova
ld_preload userland rootkit
Stars: ✭ 34 (-70.18%)
Mutual labels:  ptrace
containers by bazel
Container images created with Bazel
Stars: ✭ 32 (-71.93%)
Mutual labels:  oci
sriov
Simple standalone Docker Plugin implementation to demonstrate Clear Containers with SRIOV
Stars: ✭ 25 (-78.07%)
Mutual labels:  runc
cryostat
Secure JDK Flight Recorder management for containerized JVMs
Stars: ✭ 147 (+28.95%)
Mutual labels:  oci
knast
Experimental OCI & CRI-compatible container runtimes for FreeBSD
Stars: ✭ 20 (-82.46%)
Mutual labels:  oci
PRoot
chroot, mount --bind, and binfmt_misc without privilege/setup for Linux
Stars: ✭ 31 (-72.81%)
Mutual labels:  ptrace
go-runc
runc bindings for Go
Stars: ✭ 115 (+0.88%)
Mutual labels:  runc
golang-debugger-book
From a debugger's view, Let's explore the computer world! How does compiler, linker and debugger coordinate with each other around the program written in specific programming language? How does a debugger work? If we develop a debugger for go programming language, we must master go type system, runtime... and some Operating System internals. OK,…
Stars: ✭ 49 (-57.02%)
Mutual labels:  ptrace
View All Similar Projects ➔

runROOTLESS: rootless OCI container runtime with ptrace hacks

Build Status

Quick start (No root privileges nor SUID binaries are required!)

Install

Requires: Go, runc

user$ go get github.com/rootless-containers/runrootless
user$ $GOPATH/src/github.com/rootless-containers/runrootless/install-proot.sh

Future version should install a pre-built PRoot binary automatically on the first run.

Usage

Create an example Ubuntu bundle:

user$ cd ./examples/ubuntu
user$ ./prepare.sh
user$ ls -1F
config.json
prepare.sh
rootfs/

Make sure the bundle cannot be executed with the regular runc:

user$ runc run ubuntu
rootless containers require user namespaces

Note that even with runc spec --rootless, you cannot execute apt:

user$ rm config.json
user$ runc spec --rootless
user$ sed -i 's/"readonly": true/"readonly": false/' config.json
user$ runc run ubuntu
# apt update
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (22: Invalid argument)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
Reading package lists... Done
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (22: Invalid argument)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (22: Invalid argument)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (1: Operation not permitted)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)_

With runrootless, you can execute apt successfully:

user$ ./prepare.sh
user$ runrootless run ubuntu
# apt update
# apt install -y cowsay
# /usr/games/cowsay hello rootless world
 ______________________
< hello rootless world >
 ----------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Other examples

CentOS:

user$ cd ./examples/centos
user$ ./prepare.sh
user$ runrootless run centos
sh-4.2# yum install -y epel-release
sh-4.2# yum install -y cowsay
sh-4.2# cowsay hello rootless world

Alpine Linux:

user$ cd ./examples/alpine
user$ ./prepare.sh
user$ runrootless run alpine
/ # apk update
/ # apk add fortune
/ # fortune

Arbitrary Docker image:

user$ cd ./examples/docker-image
user$ ./prepare.sh opensuse
user$ runrootless run opensuse
sh-4.3# zypper install cowsay
sh-4.3# cowsay hello rootless world

Arbitrary container image, using skopeo and umoci. umoci and runROOTLESS share emulated chown(2) information via user.rootlesscontainers xattr.

user$ cd ./examples/skopeo-umoci
user$ ./prepare.sh docker://ubuntu
user$ cd umoci-bundle
user$ runrootless run ubuntu

runROOTLESS can be also executed inside Docker container, but --privileged is still required ( opencontainers/runc#1456 )

host$ docker run -it --rm --privileged akihirosuda/runrootless
~ $ id
uid=1000(user) gid=1000(user)
~ $ cd ~/examples/ubuntu/
~/examples/ubuntu $ ./prepare.sh
~/examples/ubuntu $ runrootless run ubuntu
#

Environment variables

  • RUNROOTLESS_SECCOMP=1: enable seccomp acceleration (unstable)

How it works

  • Transform a regular config.json to rootless one, and create a new OCI runtime bundle with it.
  • Bind-mount a static PRoot binary so as to allow apt/yum commands.
  • Inject the PRoot binary to process.args.
  • Invoke plain runC.

Known issues

  • apt / dpkg may crash when seccomp acceleration is enabled: #4

Future work

OCI Runtime Hook mode

runROOTLESS could be reimplemented as a OCI Runtime Hook (prestart) that works with an arbitrary OCI Runtime. This work would need adding support for PTRACE_ATTACH to PRoot. Also, it would require YAMA to be disabled.

Reimplement PRoot in Go

This is hard than I initially thought...

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].