Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-02-25 Thread Giuseppe Scrivano 
Muayyad AlSadi  writes:

> here is my blog post
>
> https://bcksp.blogspot.com/2018/02/diy-docker-using-skopeoostreerunc.html

if you are interested to put this blog post in the perspective of how
the atomic CLI works and explains its internals as you did, I can help
you with the review and we could publish it on: 
http://www.projectatomic.io/blog/.

What do you think?

Thanks,
Giuseppe

Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-02-25 Thread Giuseppe Scrivano 
Muayyad AlSadi  writes:

>> Please use the original config.json file you get with 'runc spec --rootless' 
>> and change only the process/args there.
>
> that did not work,

is this still broken with my PR?

Giuseppe

Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-02-25 Thread Muayyad AlSadi 
> Please use the original config.json file you get with 'runc spec
--rootless' and change only the process/args there.

that did not work,

> that won't work, you need to specify the mounts.  Have you tried with
bwrap-oci from the PR I've opened?

I'm using this

$ rpm -q bwrap-oci
bwrap-oci-0.2-1.fc27.x86_64

your PR and branch works fine





On Sun, Feb 25, 2018 at 4:29 PM, Giuseppe Scrivano 
wrote:

>
> Muayyad AlSadi  writes:
>
> > no, it did not work for me
> >
> > I've removed the entire mount section
> >
> > "mounts": [ ],
>
> that won't work, you need to specify the mounts.  Have you tried
> with bwrap-oci from the PR I've opened?
>
> Please use the original config.json file you get with 'runc spec
> --rootless' and change only the process/args there.
>
> Regards,
> Giuseppe
>

Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-02-25 Thread Giuseppe Scrivano 

Muayyad AlSadi  writes:

> no, it did not work for me
>
> I've removed the entire mount section
>
> "mounts": [ ],

that won't work, you need to specify the mounts.  Have you tried
with bwrap-oci from the PR I've opened?

Please use the original config.json file you get with 'runc spec
--rootless' and change only the process/args there.

Regards,
Giuseppe

Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-02-25 Thread Muayyad AlSadi 
no, it did not work for me

I've removed the entire mount section

"mounts": [ ],

I tried to only remove the sys/none item in mounts,

it got stuck (no output, no error message and on another terminal it would
be running)

the following

bwrap-oci --dry-run run delme

gives

/usr/bin/bwrap --userns-block-fd FD --as-pid-1 --die-with-parent --bind
rootfs / --unshare-pid --unshare-ipc --unshare-uts --unshare-user
--unshare-user --cap-drop ALL --cap-add CAP_KILL --cap-add
CAP_NET_BIND_SERVICE --cap-add CAP_AUDIT_WRITE --chdir / --setenv PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM
xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts
--tmpfs /dev/shm --mqueue /dev/mqueue --tmpfs /tmp --dev-bind /dev/tty
/dev/tty --hostname runc --block-fd FD --sync-fd FD --info-fd FD --bind
/dev/null /proc/kcore --bind /dev/null /proc/latency_stats --bind /dev/null
/proc/timer_list --bind /dev/null /proc/timer_stats --bind /dev/null
/proc/sched_debug --bind /dev/null /sys/firmware --bind /dev/null
/proc/scsi --ro-bind /proc/asound /proc/asound --ro-bind /proc/bus
/proc/bus --ro-bind /proc/fs /proc/fs --ro-bind /proc/irq /proc/irq
--ro-bind /proc/sys /proc/sys --ro-bind /proc/sysrq-trigger
/proc/sysrq-trigger --remount-ro / sh

which does not work but the following words fine

/usr/bin/bwrap --as-pid-1 --die-with-parent --bind rootfs / --unshare-pid
--unshare-ipc --unshare-uts --unshare-user --unshare-user --cap-drop ALL
--cap-add CAP_KILL --cap-add CAP_NET_BIND_SERVICE --cap-add CAP_AUDIT_WRITE
--chdir / --setenv PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --setenv TERM
xterm --uid 0 --gid 0 --proc /proc --dev /dev --bind /dev/pts /dev/pts
--tmpfs /dev/shm --mqueue /dev/mqueue --tmpfs /tmp --dev-bind /dev/tty
/dev/tty --hostname runc --remount-ro / sh

the config is attached





On Sun, Feb 25, 2018 at 2:01 PM, Giuseppe Scrivano 
wrote:

> Hi Muayyad,
>
> Muayyad AlSadi  writes:
>
> > here is my blog post
> >
> > https://bcksp.blogspot.com/2018/02/diy-docker-using-
> skopeoostreerunc.html
>
> That is definitely a great blog post!  It is a very good explanation of
> how the atomic CLI works for a non root user.
>
>
> > the error in "bwrap-oci run"
> > bwrap-oci: unknown mount type none
> > was because of type none in /sys
> >
> > "mounts": [
> > ...
> > {
> > "destination": "/sys",
> > "type": "none",
> > "source": "/sys",
> > "options": [
> > "rbind",
> > "nosuid",
> > "noexec",
> > "nodev",
> > "ro"
> > ]
> > }
> >
> > but removing it did not solve the problem
>
> The issue you reported is a bug in bwrap-oci.  It fails with an error
> caused by the '"type" : "none"' generated by .runc spec --rootless.
>
> Could you please try if this PR solves the problem for you?
>
>   https://github.com/projectatomic/bwrap-oci/pull/17
>
> Another option is to change "none" to "bind" in the configuration file.
>
> In general bwrap-oci is more tolerant than runc with the config.json
> configuration.  bwrap-oci takes the freedom of adding the user namespace
> even if it is not specified and handle the users mapping inside of the
> container (if you need more than one user mapped please take a look at
> /etc/subuid and /etc/subgid).  It is designed this way so that the
> configuration that works for a system container could to some extend be
> used by a non root user in a seamless way.
>
> You should be fine to run the container with the config.json file you
> get with "runc spec" without the "--rootless" option.
>
> Please let me know if this works for you.
>
> Regards,
> Giuseppe
>


config.json
Description: application/json

Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-02-25 Thread Giuseppe Scrivano 
Hi Muayyad,

Muayyad AlSadi  writes:

> here is my blog post
>
> https://bcksp.blogspot.com/2018/02/diy-docker-using-skopeoostreerunc.html

That is definitely a great blog post!  It is a very good explanation of
how the atomic CLI works for a non root user.


> the error in "bwrap-oci run"
> bwrap-oci: unknown mount type none
> was because of type none in /sys
>
> "mounts": [
> ...
> {
> "destination": "/sys",
> "type": "none",
> "source": "/sys",
> "options": [
> "rbind",
> "nosuid",
> "noexec",
> "nodev",
> "ro"
> ]
> }
>
> but removing it did not solve the problem

The issue you reported is a bug in bwrap-oci.  It fails with an error
caused by the '"type" : "none"' generated by .runc spec --rootless.

Could you please try if this PR solves the problem for you?

  https://github.com/projectatomic/bwrap-oci/pull/17

Another option is to change "none" to "bind" in the configuration file.

In general bwrap-oci is more tolerant than runc with the config.json
configuration.  bwrap-oci takes the freedom of adding the user namespace
even if it is not specified and handle the users mapping inside of the
container (if you need more than one user mapped please take a look at
/etc/subuid and /etc/subgid).  It is designed this way so that the
configuration that works for a system container could to some extend be
used by a non root user in a seamless way.

You should be fine to run the container with the config.json file you
get with "runc spec" without the "--rootless" option.

Please let me know if this works for you.

Regards,
Giuseppe