Support Rootless Docker #889

Alexhuszagh · 2022-07-01T04:21:57Z

Checklist

I've looked through the issues and pull requests for similar request
This feature could be solved with a custom docker image (optional)

Describe your request

Currently, if using rootless docker, cross fails to run. This is because we automatically add --user 1000:1000 permissions (or the current UID/GID) when running Docker. This is an issue, because there is now rootless docker:

First, install rootless docker:

$  dockerd-rootless-setuptool.sh install  # this may require a --force if the rootful docker is available.

Then, use the rootless context and try to touch a file:

$ docker context use rootless 
rootless
Current context is now "rootless"
$ docker run --user 1000:1000 -it --rm -v "$PWD":/project -w /project ubuntu:20.04 bash
groups: cannot find name for group ID 1000
$ touch a
touch: cannot touch 'a': Permission denied

This can be solved by allowing an environment variable to override our default, good assumptions of whether the container engine is rootful or not.

Describe why this would be a good inclusion for `cross`

Currently, detecting rootful/rootless mode is quite difficult, or expensive computationally, and the defaults are quite good:

Podman always runs rootless
Docker mostly runs rootful

Therefore, just making these assumptions generally works. However, this is an issue if rootless docker exists, or we have another container engine that runs as root. In short, we need to be able to override setting --user 1000:1000 permissions. This likely could best be done with a CROSS_ROOTLESS_CONTAINER_ENGINE, which is an Option<bool>, parsed via bool_from_envvar. If it's not present, use the sensible default. If it is present, force the presence or absence of lower user permissions.

This also should simplify supporting new container engines, since we can handle those with varying behavior quite easily, without any code changes, until we can provide reasonable defaults for them, such as in #588.

The text was updated successfully, but these errors were encountered:

Adds support for rootless docker, and manually overriding rootless/rootful container engines through the `CROSS_ROOTLESS_CONTAINER_ENGINE` environment variable. If not set, it will use the default mode for the container engine (rootful for docker, rootless for everything else). ```bash \# use the defaults cross run ... \# always use rootful mode CROSS_ROOTLESS_CONTAINER_ENGINE=0 cross run ... \# always use rootless mode CROSS_ROOTLESS_CONTAINER_ENGINE=1 cross run ... ``` Closes cross-rs#889.

Adds support for rootless docker, and manually overriding rootless/rootful container engines through the `CROSS_ROOTLESS_CONTAINER_ENGINE` environment variable. If not set, it will use the default mode for the container engine (rootful for docker, rootless for everything else). ```bash \# use the defaults cross run ... \# auto-select if using rootless (the default) CROSS_ROOTLESS_CONTAINER_ENGINE=auto cross run ... \# always use rootful mode CROSS_ROOTLESS_CONTAINER_ENGINE=0 cross run ... \# always use rootless mode CROSS_ROOTLESS_CONTAINER_ENGINE=1 cross run ... ``` Closes cross-rs#889.

890: Support rootless docker. r=Emilgardis a=Alexhuszagh Adds support for rootless docker, and manually overriding rootless/rootful container engines through the `CROSS_ROOTLESS_CONTAINER_ENGINE` environment variable. If not set, it will use the default mode for the container engine (rootful for docker, rootless for everything else). ```bash # use the defaults cross run ... # auto-select if using rootless (the default) CROSS_ROOTLESS_CONTAINER_ENGINE=auto cross run ... # always use rootful mode CROSS_ROOTLESS_CONTAINER_ENGINE=0 cross run ... # always use rootless mode CROSS_ROOTLESS_CONTAINER_ENGINE=1 cross run ... ``` Closes #889. Co-authored-by: Alex Huszagh <[email protected]>

…ootless?" (#1380) I recently encountered #1098 and propose an iteration on the fix in #890 This patch adds a last minute check that looks up the current builder endpoint. This may be seen as a costly operation however, as mentioned in #889 Here's the output of `docker builder inspect` on my rootless install: ``` Name: rootless Driver: docker Last Activity: 2023-12-03 02:04:14 +0000 UTC Nodes: Name: rootless Endpoint: rootless # <= THIS HERE Status: running Buildkit: v0.11.7+d3e6c1360f6e Platforms: linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/amd64/v4, linux/386 Labels: org.mobyproject.buildkit.worker.moby.host-gateway-ip: 172.17.0.1 ```

Alexhuszagh added enhancement A-container-engine Area: container engines feature-request labels Jul 1, 2022

Alexhuszagh self-assigned this Jul 1, 2022

Alexhuszagh changed the title ~~Support Docker Rootless~~ Support Rootless Docker Jul 1, 2022

Alexhuszagh mentioned this issue Jul 1, 2022

Support rootless docker. #890

Merged

bors bot closed this as completed in ae54417 Jul 1, 2022

Alexhuszagh mentioned this issue Jul 2, 2022

Feature request: Support for Docker's rootless mode #490

Closed

Alexhuszagh added the A-docker Area: docker container engine label Nov 6, 2022

Alexhuszagh mentioned this issue Nov 6, 2022

Permission denied error - rootless docker #648

Closed

fenollp mentioned this issue Dec 3, 2023

feat(rootless): help detection with execv check "is current builder rootless?" #1380

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support Rootless Docker #889

Support Rootless Docker #889

Alexhuszagh commented Jul 1, 2022 •

edited

Loading

Support Rootless Docker #889

Support Rootless Docker #889

Comments

Alexhuszagh commented Jul 1, 2022 • edited Loading

Checklist

Describe your request

Describe why this would be a good inclusion for cross

Alexhuszagh commented Jul 1, 2022 •

edited

Loading

Describe why this would be a good inclusion for `cross`