3.0 KiB
3.0 KiB
Rootless mode (Experimental)
Requirements:
- runc
ecd55a4135e0a26de884ce436442914f945b1e76
(May 30, 2018) or later - Some distros such as Debian and Arch Linux require
echo 1 > /proc/sys/kernel/unprivileged_userns_clone
newuidmap
andnewgidmap
need to be installed on the host. These commands are provided by theuidmap
package./etc/subuid
and/etc/subgid
should contain >= 65536 sub-IDs. e.g.penguin:231072:65536
.- To run in a Docker container with non-root
USER
,docker run --privileged
is still required. See also Jessie's blog: https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/
Set up
Setting up rootless mode also requires some bothersome steps as follows, but you can also use rootlesskit
for automating these steps.
Terminal 1:
$ unshare -U -m
unshared$ echo $$ > /tmp/pid
Unsharing mountns (and userns) is required for mounting filesystems without real root privileges.
Terminal 2:
$ id -u
1001
$ grep $(whoami) /etc/subuid
penguin:231072:65536
$ grep $(whoami) /etc/subgid
penguin:231072:65536
$ newuidmap $(cat /tmp/pid) 0 1001 1 1 231072 65536
$ newgidmap $(cat /tmp/pid) 0 1001 1 1 231072 65536
Terminal 1:
unshared# buildkitd
- The data dir will be set to
/home/penguin/.local/share/buildkit
- The address will be set to
unix:///run/user/1001/buildkit/buildkitd.sock
overlayfs
snapshotter is not supported except Ubuntu-flavored kernel: http://kernel.ubuntu.com/git/ubuntu/ubuntu-artful.git/commit/fs/overlayfs?h=Ubuntu-4.13.0-25.29&id=0a414bdc3d01f3b61ed86cfe3ce8b63a9240eba7- containerd worker is not supported ( pending PR: https://github.com/containerd/containerd/pull/2006 )
- Network namespace is not used at the moment.
Terminal 2:
$ go get ./examples/build-using-dockerfile
$ build-using-dockerfile --buildkit-addr unix:///run/user/1001/buildkit/buildkitd.sock -t foo /path/to/somewhere
Set up (using a container)
$ docker build -t buildkit-rootless --target rootless -f hack/dockerfiles/test.Dockerfile .
$ docker run --name buildkitd -d --privileged -p 1234:1234 buildkit-rootless --addr tcp://0.0.0.0:1234
docker run
requires --privileged
but the BuildKit daemon is executed as a normal user.
See [moby/moby#36597
](https://github.com/moby/moby/issues/36597, kubernetes/community#1934
and Jess's blog for the ongoing work to remove this requirement
$ docker exec buildkitd id
uid=1000(user) gid=1000(user)
$ docker exec buildkitd ps aux
PID USER TIME COMMAND
1 user 0:00 rootlesskit buildkitd --addr tcp://0.0.0.0:1234
13 user 0:00 /proc/self/exe buildkitd --addr tcp://0.0.0.0:1234
21 user 0:00 buildkitd --addr tcp://0.0.0.0:1234
29 user 0:00 ps aux
$ go get ./examples/build-using-dockerfile
$ build-using-dockerfile --buildkit-addr tcp://127.0.0.1:1234 -t foo /path/to/somewhere