no, it did not work for me I've removed the entire mount section
"mounts": [ ],
I tried to only remove the sys/none item in mounts,
it got stuck (no output, no error message and on another terminal it would
be running)
the following
bwrap-oci --dry-run run delme
gives
/usr/bin/bwrap --userns-block-fd FD --as-pid-1 --die-with-parent --bind
rootfs / --unshare-pid --unshare-ipc --unshare-uts --unshare-user
--unshare-user --cap-drop ALL --cap-add CAP_KILL --cap-add
CAP_NET_BIND_SERVICE --cap-add CAP_AUDIT_WRITE --chdir / --setenv PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM
xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts
--tmpfs /dev/shm --mqueue /dev/mqueue --tmpfs /tmp --dev-bind /dev/tty
/dev/tty --hostname runc --block-fd FD --sync-fd FD --info-fd FD --bind
/dev/null /proc/kcore --bind /dev/null /proc/latency_stats --bind /dev/null
/proc/timer_list --bind /dev/null /proc/timer_stats --bind /dev/null
/proc/sched_debug --bind /dev/null /sys/firmware --bind /dev/null
/proc/scsi --ro-bind /proc/asound /proc/asound --ro-bind /proc/bus
/proc/bus --ro-bind /proc/fs /proc/fs --ro-bind /proc/irq /proc/irq
--ro-bind /proc/sys /proc/sys --ro-bind /proc/sysrq-trigger
/proc/sysrq-trigger --remount-ro / sh
which does not work but the following words fine
/usr/bin/bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-pid
--unshare-ipc --unshare-uts --unshare-user --unshare-user --cap-drop ALL
--cap-add CAP_KILL --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_AUDIT_WRITE
--chdir / --setenv PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM
xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts
--tmpfs /dev/shm --mqueue /dev/mqueue --tmpfs /tmp --dev-bind /dev/tty
/dev/tty --hostname runc --remount-ro / sh
the config is attached
On Sun, Feb 25, 2018 at 2:01 PM, Giuseppe Scrivano <gscri...@redhat.com>
wrote:
> Hi Muayyad,
>
> Muayyad AlSadi <als...@gmail.com> writes:
>
> > here is my blog post
> >
> > https://bcksp.blogspot.com/2018/02/diy-docker-using-
> skopeoostreerunc.html
>
> That is definitely a great blog post! It is a very good explanation of
> how the atomic CLI works for a non root user.
>
>
> > the error in "bwrap-oci run"
> > bwrap-oci: unknown mount type none
> > was because of type none in /sys
> >
> > "mounts": [
> > ...
> > {
> > "destination": "/sys",
> > "type": "none",
> > "source": "/sys",
> > "options": [
> > "rbind",
> > "nosuid",
> > "noexec",
> > "nodev",
> > "ro"
> > ]
> > }
> >
> > but removing it did not solve the problem
>
> The issue you reported is a bug in bwrap-oci. It fails with an error
> caused by the '"type" : "none"' generated by .runc spec --rootless.
>
> Could you please try if this PR solves the problem for you?
>
> https://github.com/projectatomic/bwrap-oci/pull/17
>
> Another option is to change "none" to "bind" in the configuration file.
>
> In general bwrap-oci is more tolerant than runc with the config.json
> configuration. bwrap-oci takes the freedom of adding the user namespace
> even if it is not specified and handle the users mapping inside of the
> container (if you need more than one user mapped please take a look at
> /etc/subuid and /etc/subgid). It is designed this way so that the
> configuration that works for a system container could to some extend be
> used by a non root user in a seamless way.
>
> You should be fine to run the container with the config.json file you
> get with "runc spec" without the "--rootless" option.
>
> Please let me know if this works for you.
>
> Regards,
> Giuseppe
>
config.json
Description: application/json
