oci: Add --fakeroot support to --oci mode #1135
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the Pull Request (PR):
Implements initial --fakeroot support for --oci mode. Mirrors behavior with --compat / --contain.
The process of accomplishing this is fairly complex. In theory, we should be able to call
crun
directly from host namespaces. We can letcrun
create a default userns and user mapping, or be able to request arbitrary explicit uid mappings (permitted by /etc/subuid /etc/subgid) to be applied.Unfortunately this can hit bugs as this path is not well tested in
crun
. See e.g.To avoid requiring the very latest
crun
with fixes, instead move to creating a userns ourselves, with a 'fakeroot' ID mapping in place, and callcrun
from that. This is the kind of flow implemented in other runtimes that callcrun
, such aspodman
.... socrun
is well tested with it.We can use the singularity
starter
with thefakeroot
engine ,and a minimal config, to create the userns and id mapping. We already use it this way to perform a simplerm
cleanup in--fakeroot
execution of a native singularity container. This approach avoids having to implement further C/Go executables, or making large imports, such as thereexec
+unshare
packages fromgithub.com/containers/storage
We are now, by default, calling
crun
orrunc
with afakeroot
setup... with host uid/gid mapped to 0 inside the userns. This is default for most OCI runtimes, however singularity default is to preserve the host id.We need to have (fake) root inside the userns for
crun
/runc
to work properly... so to return to the host uid in the container we insert an inner user namespace / ID mapping request into the bundleconfig.json
. This reverses the mapping, i.e.I've added a README.md in this PR, as things are rather complex:
https://github.com/sylabs/singularity/blob/9680663bb1eccbfade2de9f639e1e4be49ffb3bf/internal/pkg/runtime/launcher/oci/README.md
Note that there are likely still some rough edges, and the oci launcher package is getting toward the point where it should be split, but I don't want to add too much more to this single review.
This fixes or addresses the following GitHub issues:
Before submitting a PR, make sure you have done the following:
make check
and tested this PR locally with amake test
, andmake testall
if possible (see CONTRIBUTING.md).