New issue
Advanced search Search tips

Issue 690206 link

Starred by 3 users
Status: Verified
Owner:
smbar...@chromium.org
Closed: Nov 2017
Cc:
vapier@chromium.org
dgreid@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

libcontainer: allow running container as non-root

Project Member Reported by smbar...@chromium.org, Feb 8 2017 
We should be able to start a container as a normal user (chronos), and run with an identity mapping in the container. This is complicated by only being able to map one UID/GID at a time, but should be doable by doing setup as container_root, unsharing, and mapping IDs a second time.

Context: https://chromium-review.googlesource.com/c/437714/#message-2986204cc547ec9174b31398ef29ae9442f320b8

Comment 1 by smbar...@chromium.org, Feb 16 2017 

I spent some time trying to get things running with minijail mapping a single UID but it's pretty unpleasant. The parent/child need another sync point, and I haven't yet gotten a way for the parent to assign the uid_map of the child after it enters its second namespace.

I think the parent will have to grab an fd for the child's namespace before it unshares again, then setns() so it will actually be able to write the inner uid_map.

Comment 2 by smbar...@chromium.org, Feb 28 2017

Summary: libcontainer: allow running container as non-root (was: libcontainer: allow running container with identity uid/gid mapping)
Changing the title to make it clearer.

Comment 3 by dgreid@chromium.org, Nov 18 2017

Status: Verified (was: Untriaged)

Comment 4 by vapier@chromium.org, May 9 2018

Components: OS>Systems>Containers

Sign in to add a comment