runc: Missing pieces running rootless containers on RHEL 7.4 + Documentation
Running containers in a rootless manner isn’t straight forward on RHEL 7.4 as I excepted. I willing to write some extra documentation about getting rootless containers up-and-running on RHEL 7.4 if I can find the last piece of information how to solve the issue I have.
How to reproduce:
- Provision a Node and install a clean RHEL 7.4
- Install the latest runc (1.0.0-rc5)
- Make some adjustments to the Kernel to enable user namespaces (
namespace.unpriv_enable=1 user_namespace.enable=1) - Change the settings to allow to create user namespaces (
sudo echo "user.max_user_namespaces=15000" >> /etc/sysctl.conf) - Run the runc test script to check if we all good @ https://github.com/opencontainers/runc/blob/master/script/check-config.sh
- Create a rootless container using the instruction @ https://github.com/opencontainers/runc/blob/master/README.md#rootless-containers
runc --root /tmp/runc run mycontainerid
I got an error:
container_linux.go:348: starting container process caused "process_linux.go:301: running exec setns process for init caused \"exit status 47\""
I think I’m close. Any one having a glue what I miss? I also disabled SELinux to be sure.
If I got this working I will change the documentation and test-script to make sure all RHEL users can experience the awesome power of rootless containers!
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 17 (10 by maintainers)
The newuidmap and newgidmap will be in RHEL7.7 version of shadow-utils.
Also there is @vbatts 's newxidmap RPM and doc: https://copr.fedorainfracloud.org/coprs/vbatts/shadow-utils-newxidmap/
@davidMcneil We are working to get these packaged and shipping in RHEL7, but they come from a newer shadow-utils package, that the maintainers do not want to back port to RHEL7 because it is too risky. We are working on a mechanism to ship the two binaries in a separate package, but this is still being negotiated.