Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

[Giuseppe Scrivano <gscrivan redhat com>]

Hi Muayyad,

Muayyad AlSadi <alsadi gmail com> writes:

> here is my blog post
>
> https://bcksp.blogspot.com/2018/02/diy-docker-using-skopeoostreerunc.html

That is definitely a great blog post!  It is a very good explanation of
how the atomic CLI works for a non root user.


> the error in "bwrap-oci run"
> bwrap-oci: unknown mount type none
> was because of type none in /sys
>
> "mounts": [
> ...
> {
> "destination": "/sys",
> "type": "none",
> "source": "/sys",
> "options": [
> "rbind",
> "nosuid",
> "noexec",
> "nodev",
> "ro"
> ]
> }
>
> but removing it did not solve the problem

The issue you reported is a bug in bwrap-oci.  It fails with an error
caused by the '"type" : "none"' generated by .runc spec --rootless.

Could you please try if this PR solves the problem for you?

  https://github.com/projectatomic/bwrap-oci/pull/17

Another option is to change "none" to "bind" in the configuration file.

In general bwrap-oci is more tolerant than runc with the config.json
configuration.  bwrap-oci takes the freedom of adding the user namespace
even if it is not specified and handle the users mapping inside of the
container (if you need more than one user mapped please take a look at
/etc/subuid and /etc/subgid).  It is designed this way so that the
configuration that works for a system container could to some extend be
used by a non root user in a seamless way.

You should be fine to run the container with the config.json file you
get with "runc spec" without the "--rootless" option.

Please let me know if this works for you.

Regards,
Giuseppe