-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
using rootlesskit with preconfigured network namespace #252
Comments
I followed my idea number 4 and preconfigured a netns as root and setup pam to put all processes of a test user into that netns. Trying to start dockerd in a rootlesskit environment with host network (which for that user is a preconfigured netns) I ran into the following problen which is reproducible for any user in the main/default netns, also: I called dockerd-rootless.sh like this:
When I start a busybox docker container I get the error message "docker: Error response from daemon: Could not check if docker-default AppArmor profile was loaded: open /sys/kernel/security/apparmor/profiles: permission denied." I found (using strace) that dockerd does not try to look for /sys/kernel/security/apparmor/profiles when rootlesskit is called without the options to use host networking.
|
RootlessKit mounts a new /sys when the network namespace is unshared, so dockerd avoids looking up apparmor stuff |
Thanks for the answer! So, rootlesskit does not mount a new /sys when the network namespace is not setup, because "--net host" is used? If so and if done intentionally, why? If not so, why does dockerd in "rootlesskit --net host" complain about AppAmor? |
Not my own choice. The kernel is designed to require unsharing the network namespace for mounting a new |
I'd like to achieve the following setup for users who start docker rootless: docker uses a network config that is statically configured by root and cannot be changed by the unprivileged user who started rootlesskit (and docker or whatever inside it).
Motivation: building a network between dockerd running for different users that cannot be changed by the users running the docker daemons to
So far I came up with the following approaches:
I didn't find a way to setup a network namespace as root and provide access to an unprivileged user.
If this would be possible it would be my preferred solution and I'd kindly ask to extend rootlesskit with an option to enter an existing network namespace instead of using the hosts network or vpnkit or slirp4netns.
Do not like this idea much, because timing and dependencies in the order of thing happening from different services are involved.
A variant could be to let users systemd start docker in a network namespace by configuring the service with "PrivateNetwork=".
Maybe via configuring the users systemd and logind to run inside a network namespace.
This is a variant of 2. and thereby the same disadvantage applies in my opinion. Furthermore maintaining the containers run by docker becomes more difficult (maybe secure, also?), because the user running the docker is restricted to the same network restrictions as docker and its containers.
I'd appreciate opinions for this idea, the approaches I found and help on how to configure whatever makes sense.
The text was updated successfully, but these errors were encountered: