Description
I try to integrate gVisor with higher level rootless sandboxing tool. Following the documentation at https://gvisor.dev/docs/user_guide/rootless/ I figured out the best way to integrate is to follow 'Method 2: Caller-Configured Userns': the tool setups the user namespace, and starts runsc to run a sandboxed program within the already configured namespace.
This works only when the uid runsc runs inside the namespace is 0. If the caller process (and thus runsc) runs as a non-zero uid in the user namespace, say 1000, runsc assumes it must set up a user namespace itself, and since there is no namespaces entry in config.json, it fails:
running container: creating container: cannot create gofer process: unable to run a rootless container without userns
For the sandboxing program I try to integrate with gVisor, a design goal is to make sandboxed environment as close to the user normal working environment as possible, so preserving the username (and id) in the sandbox is key.
Technically, inside a user namespace there is little difference between uid 0 and any other uid, it is just cosmetic difference, what matters are the capabilities passed to the process, and user namespace setup can pass any capabilites runsc needs also when not using uid 0.
Why not use Method 3 from the documentation 'True runsc Rootless Mode'? This method doesn't support network isolation. Setting up namespace outside of runsc also allows to work around gVisor's lack of overlayfs support. The caller can just configure any required overlayfs mounts in the user namespace before invoking runsc which doesn't need to know that overlayfs is involved.
If I understand correctly, under 'Method 2' runsc isn't really aware it runs within a user namespace. Perhaps to support running with uid != 0, runsc would need to be explicitly informed that it runs within an already configured namespace, so it skips the userns setup.
Does adding support for this seem feasible and in line with gVisor's goals?
Is this feature related to a specific bug?
No response
Do you have a specific solution in mind?
No response
Description
I try to integrate gVisor with higher level rootless sandboxing tool. Following the documentation at https://gvisor.dev/docs/user_guide/rootless/ I figured out the best way to integrate is to follow 'Method 2: Caller-Configured Userns': the tool setups the user namespace, and starts runsc to run a sandboxed program within the already configured namespace.
This works only when the uid runsc runs inside the namespace is 0. If the caller process (and thus runsc) runs as a non-zero uid in the user namespace, say 1000, runsc assumes it must set up a user namespace itself, and since there is no namespaces entry in config.json, it fails:
running container: creating container: cannot create gofer process: unable to run a rootless container without usernsFor the sandboxing program I try to integrate with gVisor, a design goal is to make sandboxed environment as close to the user normal working environment as possible, so preserving the username (and id) in the sandbox is key.
Technically, inside a user namespace there is little difference between uid 0 and any other uid, it is just cosmetic difference, what matters are the capabilities passed to the process, and user namespace setup can pass any capabilites runsc needs also when not using uid 0.
Why not use Method 3 from the documentation 'True runsc Rootless Mode'? This method doesn't support network isolation. Setting up namespace outside of runsc also allows to work around gVisor's lack of overlayfs support. The caller can just configure any required overlayfs mounts in the user namespace before invoking runsc which doesn't need to know that overlayfs is involved.
If I understand correctly, under 'Method 2' runsc isn't really aware it runs within a user namespace. Perhaps to support running with uid != 0, runsc would need to be explicitly informed that it runs within an already configured namespace, so it skips the userns setup.
Does adding support for this seem feasible and in line with gVisor's goals?
Is this feature related to a specific bug?
No response
Do you have a specific solution in mind?
No response