Most Rootless Containers implementations need the $XDG_RUNTIME_DIR environmental variable to be set. When the environment variable is not set, features related to systemd and cgroups are unlikely to work properly. The value is typically set to /run/user/$UID automatically by systemd or elogind on logging into the host. Run the following command to confirm: $ echo $XDG_RUNTIME_DIR /run/user/1000 The $XDG_RUNTIME_DIR environmental variable is set when: Logged in as a non-root user via the graph...| Rootless Containers
Rootless containers uses user_namespaces(7)(UserNS) for emulating fake privileges that are enough to create containers. e.g. map UID 1000 to pseudo-root UID 0 in the UserNS: $ whoami user1 $ id -u 1000 $ unshare --user --map-root-user # cat /proc/self/uid_map 0 1000 1 # cat /proc/self/gid_map 0 1000 1 # id -u 0 The pseudo-root user gains capabilities such as CAP_SYS_ADMIN and CAP_NET_ADMIN inside UserNS to perform fake-privileged operations such as creating mount namespaces, network namespace...| Rootless Containers
Rootless Docker/Moby was implemented in 2018 following rootless runc, containerd, and BuildKit. Rootless Docker has been merged to the Docker/Moby upstream since Docker 19.03. Docker 19.03 provides almost full features for Rootless mode, including support for port fowarding (docker run -p) and multi-container networking (docker network create), but it doesn’t support limiting resources with cgroup. Docker 20.10 added support for limiting resources using cgroup v2. Installation Note Please r...| Rootless Containers
Unsharing network namespaces isn’t only for assigning IP addresses; it is also essential to protect abstract UNIX sockets on the host from containerized processes. However, unsharing network namespaces for Rootless Containers isn’t straightforward, because vEth pairs cannot be created across UserNS boundaries without the privilege. LXC uses a SETUID binary called lxc-user-nic for setting up vEth pairs. Other implementations including Docker/Moby and Podman typically use TAP devices instea...| Rootless Containers
The following table shows the feature implementation status of Rootless Podman: Version Notable changes Pre-1.1 Initial support for Rootless mode 1.1 Added support for port forwarding (podman run -p) 1.5 Added support for cgroup v2 2.1 Added support for multi-container networking (podman create network) FAQ: Docker/Moby vs Podman? Until recently, Docker/Moby had lacked support for cgroup v2, and on the other hand Podman had lacked support for multi-container networking.| Rootless Containers
Note Please read the common steps first. See https://github.com/moby/buildkit/blob/master/docs/rootless.md| Rootless Containers
See https://umo.ci/quick-start/rootless/| Rootless Containers
nerdctl is a Docker-compatible CLI for containerd. nerdctl comes with helper scripts for running rootless containerd. To run rootless containerd without nerdctl, see https://github.com/containerd/containerd/blob/master/docs/rootless.md Installation Note Please read the common steps first. Especially, make sure $XDG_RUNTIME_DIR to be set properly. Download nerdctl-full-<VERSION>-linux-amd64.tar.gz from https://github.com/containerd/nerdctl/releases , and extract the archive onto /usr/local (sy...| Rootless Containers
Connections incoming from the Internet cannot directly reach network namespaces. Two forwarder implementations are used for transferring connections to Rootless Containers' network namespaces. RootlessKit The RootlessKit implementation is used by both Docker/Moby and Podman. slirp4netns slirp4netns also has its own port forwarder. The slirp4netns implementation is slower than RootlessKit, however, the slirp4netns implementation can keep source IP addresses, while the RootlessKit implementatio...| Rootless Containers
Rootless OverlayFS is supported since kernel 5.11. Older kernel releases didn’t support rootless OverlayFS, though Ubuntu supports it by patching the kernel. Debian supports rootless OverlayFS too, when overlay.ko is loaded with a custom modprobe option permit_mounts_in_userns=1. However, Debian version of rootless OverlayFS (before kernel 5.11) is known to be broken as of April 2021, while Ubuntu version seems stable. On other distros, Rootless Containers typically use fuse-overlayfs inste...| Rootless Containers
Note Enabling cgroup v2 is optional. Enabling cgroup v2 is often needed for running Rootless Containers with limiting the consumption of the CPU, memory, I/O, and PIDs resources, e.g. docker run --memory 32m. Note that cgroup is not needed for just limiting resources with traditional ulimit and cpulimit, though they work in process-granularity rather than in container-granularity. See here for the further information. Checking whether cgroup v2 is already enabled If /sys/fs/cgroup/cgroup.| Rootless Containers
Note Please read the common steps first. See https://github.com/opencontainers/runc/#rootless-containers| Rootless Containers
Note Configuring sysctl is optional for most distributions. Old versions of Debian, Arch, and RHEL/CentOS are known to require reconfiguration of sysctl to enable User Namespaces. Debian GNU/Linux 10 Note These steps are not needed for Debian 11. These steps are also not needed for Ubuntu. Create /etc/sysctl.d/99-rootless.conf with the following content: kernel.unprivileged_userns_clone=1 Then run the following command to reload the new sysctl configuration: $ sudo sysctl --system Arch Linux ...| Rootless Containers
Note Please read the common steps first. Apptainer (formerly known as Singularity) provides three modes for running containers as a non-root user: User namespace mode (the default since version 1.1.0, or apptainer exec --userns with suid installation) Fakeroot mode (apptainer exec --fakeroot) Setuid mode (install extra apptainer-suid component) The first mode does not use setuid root, so it is in the scope of Rootless Containers. In fact, it does not even use a privileged helper the way other...| Rootless Containers
v1 Delegating cgroup v1 controllers to non-root users is not considered to be safe. So, most Rootless Containers implementations do not support using cgroups on cgroup v1 hosts. However, LXC supports delegating cgroup v1 to non-root users by using a PAM module called pam_cgfs. v2 Unlike cgroup v1, cgroup v2 officially supports delegation. Most Rootless Containers implementations rely on systemd for delegating v2 controllers to non-root users. See Getting Started/Common/Cgroup v2 for the actua...| Rootless Containers
Note Please read the common steps first. Running unprivileged LXC To be documented.| Rootless Containers
Note Please read the common steps first. Note udocker is not Docker. udocker provides four modes for running containers as a non-root user: Pn: Proot mode Fn: fakechroot mode Rn: rootless runc mode Sn: Singularity (now called Apptainer) mode The third mode (Rn) falls into the scope of Rootless Containers, and the fourth mode (Sn) also does when it runs in non-setuid mode, but the others do not: Pn and Fn are not containers (in our view).| Rootless Containers
Note Configuring AppArmor is needed only on Ubuntu 24.04 or later, with RootlessKit installed under a non-standard path. If you face an error like [rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted, try running the following commands: cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit" abi <abi/4.0>, include <tunables/global> /usr/local/bin/rootlesskit flags=(unconfined) { userns, # Site-specific additions and overrides. See l...| Rootless Containers
Kubernetes| rootlesscontaine.rs
/etc/subuid and /etc/subgid| rootlesscontaine.rs