Unprivileged overlayfs in kernel 5.11, fakeroot without /etc/subuid
148 views
Skip to first unread message
Dave Dykstra
Mar 18, 2021, 12:25:00 PM3/18/21
to singu...@lbl.gov, wlcg-co...@cern.ch
I just attended a talk by Akihiro Suda and learned some things about
recent developments in the rootless containers area. His talk is here:
https://docs.google.com/presentation/d/10jCAX_D_0RfxEYyIcL8q7SAlkqhHGW1ZY8qpBXPyKJY/edit?pli=1#slide=id.gc88261b8f0_1_2
Last month Linux kernel 5.11 was released including support for
overlayfs from unprivileged user namespaces:
https://kernelnewbies.org/Linux_5.11#Unprivileged_Overlayfs_mounts
The work was done by Eric Beiderman and Miklos Szeredi of Red Hat so
I think there's a pretty good chance that it will get backported to
Red Hat kernels, at least for RHEL8 if not RHEL7.
Also, kernel 5.0 from March 2019 added seccomp user notification, a new
way to emulate system calls in userspace that's more efficient than
ptrace. It was integrated into the OCI runtime spec two days ago:
https://github.com/opencontainers/runtime-spec/pull/1074
and there's a github repo making a multi-uid container implementation
without needing /etc/subuid and /etc/subgid:
https://github.com/rootless-containers/subuidless
Also somebody else at the talk pointed out this alternate runc
implementation that allows running other container runtimes inside it.
It runs privileged itself I believe, but it claims to fully protect the
host.
https://github.com/nestybox/sysbox
Dave
recent developments in the rootless containers area. His talk is here:
https://docs.google.com/presentation/d/10jCAX_D_0RfxEYyIcL8q7SAlkqhHGW1ZY8qpBXPyKJY/edit?pli=1#slide=id.gc88261b8f0_1_2
Last month Linux kernel 5.11 was released including support for
overlayfs from unprivileged user namespaces:
https://kernelnewbies.org/Linux_5.11#Unprivileged_Overlayfs_mounts
The work was done by Eric Beiderman and Miklos Szeredi of Red Hat so
I think there's a pretty good chance that it will get backported to
Red Hat kernels, at least for RHEL8 if not RHEL7.
Also, kernel 5.0 from March 2019 added seccomp user notification, a new
way to emulate system calls in userspace that's more efficient than
ptrace. It was integrated into the OCI runtime spec two days ago:
https://github.com/opencontainers/runtime-spec/pull/1074
and there's a github repo making a multi-uid container implementation
without needing /etc/subuid and /etc/subgid:
https://github.com/rootless-containers/subuidless
Also somebody else at the talk pointed out this alternate runc
implementation that allows running other container runtimes inside it.
It runs privileged itself I believe, but it claims to fully protect the
host.
https://github.com/nestybox/sysbox
Dave
Reply all
Reply to author
Forward
0 new messages