Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

[Muayyad AlSadi <alsadi gmail com>]

no, it did not work for me

I've removed the entire mount section

    "mounts": [ ],

I tried to only remove the sys/none item in mounts,

it got stuck (no output, no error message and on another terminal it would be running)

the following

bwrap-oci --dry-run run delme

gives

/usr/bin/bwrap --userns-block-fd FD --as-pid-1 --die-with-parent --bind rootfs / --unshare-pid --unshare-ipc --unshare-uts --unshare-user --unshare-user --cap-drop ALL --cap-add CAP_KILL --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_AUDIT_WRITE --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --tmpfs /tmp --dev-bind /dev/tty /dev/tty --hostname runc --block-fd FD --sync-fd FD --info-fd FD --bind /dev/null /proc/kcore --bind /dev/null /proc/latency_stats --bind /dev/null /proc/timer_list --bind /dev/null /proc/timer_stats --bind /dev/null /proc/sched_debug --bind /dev/null /sys/firmware --bind /dev/null /proc/scsi --ro-bind /proc/asound /proc/asound --ro-bind /proc/bus /proc/bus --ro-bind /proc/fs /proc/fs --ro-bind /proc/irq /proc/irq --ro-bind /proc/sys /proc/sys --ro-bind /proc/sysrq-trigger /proc/sysrq-trigger --remount-ro / sh

which does not work but the following words fine

/usr/bin/bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-pid --unshare-ipc --unshare-uts --unshare-user --unshare-user --cap-drop ALL --cap-add CAP_KILL --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_AUDIT_WRITE --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --tmpfs /tmp --dev-bind /dev/tty /dev/tty --hostname runc --remount-ro / sh

the config is attached

On Sun, Feb 25, 2018 at 2:01 PM, Giuseppe Scrivano <gscrivan redhat com> wrote:

Hi Muayyad,

Muayyad AlSadi <alsadi gmail com> writes:

> here is my blog post
>
> https://bcksp.blogspot.com/2018/02/diy-docker-using-skopeoostreerunc.html

That is definitely a great blog post!  It is a very good explanation of
how the atomic CLI works for a non root user.


> the error in "bwrap-oci run"
> bwrap-oci: unknown mount type none
> was because of type none in /sys
>
> "mounts": [
> ...
> {
> "destination": "/sys",
> "type": "none",
> "source": "/sys",
> "options": [
> "rbind",
> "nosuid",
> "noexec",
> "nodev",
> "ro"
> ]
> }
>
> but removing it did not solve the problem

The issue you reported is a bug in bwrap-oci.  It fails with an error
caused by the '"type" : "none"' generated by .runc spec --rootless.

Could you please try if this PR solves the problem for you?

  https://github.com/projectatomic/bwrap-oci/pull/17

Another option is to change "none" to "bind" in the configuration file.

In general bwrap-oci is more tolerant than runc with the config.json
configuration.  bwrap-oci takes the freedom of adding the user namespace
even if it is not specified and handle the users mapping inside of the
container (if you need more than one user mapped please take a look at
/etc/subuid and /etc/subgid).  It is designed this way so that the
configuration that works for a system container could to some extend be
used by a non root user in a seamless way.

You should be fine to run the container with the config.json file you
get with "runc spec" without the "--rootless" option.

Please let me know if this works for you.

Regards,
Giuseppe

Attachment: config.json
Description: application/json