Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Discuss] unprivileged rootful podman in kubernetes #2

Open
DekusDenial opened this issue Nov 30, 2023 · 5 comments
Open

[Discuss] unprivileged rootful podman in kubernetes #2

DekusDenial opened this issue Nov 30, 2023 · 5 comments

Comments

@DekusDenial
Copy link

Having read about different ways of operating podman in various environments, it certainly feels like getting this CSI project to work with podman in unprivileged container in kubernetes would be a very interesting and strong use case which will benefit many.

The challenge ahead may be getting the fusermount proxy to somehow “work” with fuse-overlayfs when podman is configured to use overlay as the storage driver. And currently without granting SYS_ADMIN rootful podman simply does not work in a unprivileged container in a kubernetes pod.

@utam0k
Copy link
Member

utam0k commented Dec 4, 2023

👋 Hi, @saschagrunert and @giuseppe. Is there currently any reference or something on running Podman within pods without privileged:true?
We have started the project to run fuse without requiring privileges within pods. It seems like it would be worthwhile to use this project to run fuse-overlayfs to run rootless podman.

@utam0k
Copy link
Member

utam0k commented Dec 4, 2023

FYI: We need to take the rootless network and some system calls(mount(2)) into consideration.

@naoki9911
Copy link
Collaborator

naoki9911 commented Dec 4, 2023

It seems fuse-overlayfs calls low-level api fuse_session_mount and it calls fusermount3 in fuse_kern_mount.
https://github.com/containers/fuse-overlayfs/blob/18f4d6768ab2178f0147c1bac0ccfd7d44841a56/main.c#L5883C7-L5883C25
https://github.com/libfuse/libfuse/blob/3f6cf537b77597d89bebd8387e93d4e42428b966/lib/fuse_lowlevel.c#L3179

I think this plugin can mount fuse-overlayfs, but its mount destination is statically defined in pod's manifest.
AFAIK, Podman requires fuse-overlayfs to be mounted to each container's directory and the directories are dynamically specified.
Current meta-fuse-csi-plugin cannot handle such dynamic behavior.

@giuseppe
Copy link

giuseppe commented Dec 4, 2023

👋 Hi, @saschagrunert and @giuseppe. Is there currently any reference or something on running Podman within pods without privileged:true?
We have started the project to run fuse without requiring privileges within pods. It seems like it would be worthwhile to use this project to run fuse-overlayfs to run rootless podman.

in this case you'd need to be able to create a user namespace. Podman can run in a pod without privileges as long as /proc is unmasked and it can create a user namespace. Without an unmasked /proc it is only able to build container images with --isolation=chroot)

@utam0k
Copy link
Member

utam0k commented Dec 4, 2023

👍 I didn't know --isolation=chroot. Thanks ;)

Without an unmasked /proc it is only able to build container images with --isolation=chroot)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants