no, it did not work for me I've removed the entire mount section
"mounts": [ ], I tried to only remove the sys/none item in mounts, it got stuck (no output, no error message and on another terminal it would be running) the following bwrap-oci --dry-run run delme gives /usr/bin/bwrap --userns-block-fd FD --as-pid-1 --die-with-parent --bind rootfs / --unshare-pid --unshare-ipc --unshare-uts --unshare-user --unshare-user --cap-drop ALL --cap-add CAP_KILL --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_AUDIT_WRITE --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --tmpfs /tmp --dev-bind /dev/tty /dev/tty --hostname runc --block-fd FD --sync-fd FD --info-fd FD --bind /dev/null /proc/kcore --bind /dev/null /proc/latency_stats --bind /dev/null /proc/timer_list --bind /dev/null /proc/timer_stats --bind /dev/null /proc/sched_debug --bind /dev/null /sys/firmware --bind /dev/null /proc/scsi --ro-bind /proc/asound /proc/asound --ro-bind /proc/bus /proc/bus --ro-bind /proc/fs /proc/fs --ro-bind /proc/irq /proc/irq --ro-bind /proc/sys /proc/sys --ro-bind /proc/sysrq-trigger /proc/sysrq-trigger --remount-ro / sh which does not work but the following words fine /usr/bin/bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-pid --unshare-ipc --unshare-uts --unshare-user --unshare-user --cap-drop ALL --cap-add CAP_KILL --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_AUDIT_WRITE --chdir / --setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts --tmpfs /dev/shm --mqueue /dev/mqueue --tmpfs /tmp --dev-bind /dev/tty /dev/tty --hostname runc --remount-ro / sh the config is attached On Sun, Feb 25, 2018 at 2:01 PM, Giuseppe Scrivano <gscri...@redhat.com> wrote: > Hi Muayyad, > > Muayyad AlSadi <als...@gmail.com> writes: > > > here is my blog post > > > > https://bcksp.blogspot.com/2018/02/diy-docker-using- > skopeoostreerunc.html > > That is definitely a great blog post! It is a very good explanation of > how the atomic CLI works for a non root user. > > > > the error in "bwrap-oci run" > > bwrap-oci: unknown mount type none > > was because of type none in /sys > > > > "mounts": [ > > ... > > { > > "destination": "/sys", > > "type": "none", > > "source": "/sys", > > "options": [ > > "rbind", > > "nosuid", > > "noexec", > > "nodev", > > "ro" > > ] > > } > > > > but removing it did not solve the problem > > The issue you reported is a bug in bwrap-oci. It fails with an error > caused by the '"type" : "none"' generated by .runc spec --rootless. > > Could you please try if this PR solves the problem for you? > > https://github.com/projectatomic/bwrap-oci/pull/17 > > Another option is to change "none" to "bind" in the configuration file. > > In general bwrap-oci is more tolerant than runc with the config.json > configuration. bwrap-oci takes the freedom of adding the user namespace > even if it is not specified and handle the users mapping inside of the > container (if you need more than one user mapped please take a look at > /etc/subuid and /etc/subgid). It is designed this way so that the > configuration that works for a system container could to some extend be > used by a non root user in a seamless way. > > You should be fine to run the container with the config.json file you > get with "runc spec" without the "--rootless" option. > > Please let me know if this works for you. > > Regards, > Giuseppe >
config.json
Description: application/json