This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This enables the support for the rootless container mode. There are many
restrictions on what rootless containers can do, so many different runC
commands have been disabled:
* runc checkpoint
* runc events
* runc pause
* runc ps
* runc restore
* runc resume
* runc update
The following commands work:
* runc create
* runc delete
* runc exec
* runc kill
* runc list
* runc run
* runc spec
* runc state
In addition, any specification options that imply joining cgroups have
also been disabled. This is due to support for unprivileged subtree
management not being available from Linux upstream.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
the `-p pidlist` flag of `ps` command selects the process whose process
ID numbers apper in `pidlist`.[1]
This patch use `-p pidlist` to filter process which we want.
[1]: http://man7.org/linux/man-pages/man1/ps.1.html
Signed-off-by: Wang Long <long.wanglong@huawei.com>
Currently, ps command can not support argument:
(But following usage is in manual)
| # ./runc ps 123 -ef
| Incorrect Usage.
|
| NAME:
| runc ps - ps displays the processes running inside a container
|
| USAGE:
| runc ps [command options] <container-id> [ps options]
|
| OPTIONS:
| --format value, -f value select one of: table or json
|
| flag provided but not defined: -ef
| #
Instead of using odd command like:
| # ./runc ps -- 123 -ef
We can make it seems little better:
| # ./runc ps 123 -- -ef
| UID PID PPID C STIME TTY TIME CMD
| root 29046 29038 0 11:18 pts/2 00:00:00 sh
| #
This patch also fixed manual which can not working in current
code.
Closes#788
Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
Argument of "ps options" for ps command is a optional parameter.
Should use [] instead of <> in manual.
Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
This patch add manual for ps command, and remove remove example
for --format command, which is not necessary.
Suggested-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
Akihiro Suda
Aleksa Sarai
CuiHaozhi
Mrunal Patel
Zhang Wei
rajasec
Wang Long
Shukui Yang
Zhao Lei
Hushan Jia
Qiang Huang
Michael Crosby