Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-03-05 Thread Giuseppe Scrivano 
Muayyad AlSadi  writes:

> when using runc
>
> $ mypid=`runc list | tail -n 1 | awk '{print $2}'`
> $ nsenter -a -t $mypid /bin/sh
> nsenter: reassociate to namespace 'ns/cgroup' failed: Operation not permitted
> $ sudo nsenter -a -t $mypid /bin/sh
> # worked fine
>
> but when using bwraps
>
> $ mypid=`bwrap-oci list | tail -n 1 | awk '{print $2}'
> $ nsenter -a -t $mypid /bin/sh
> nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted
> $ sudo nsenter -a -t $mypid /bin/sh
> nsenter: failed to execute /bin/sh: No such file or directory

I guess that is an issue in bwrap as it internally uses chroot instead
of a pivot_root.  This PR should probably fix the problem you are
seeing:

  https://github.com/projectatomic/bubblewrap/pull/256

Giuseppe

Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-03-05 Thread Muayyad AlSadi 
when using runc

$ mypid=`runc list | tail -n 1 | awk '{print $2}'`
$ nsenter -a -t $mypid /bin/sh
nsenter: reassociate to namespace 'ns/cgroup' failed: Operation not
permitted
$ sudo nsenter -a -t $mypid /bin/sh
# worked fine

but when using bwraps

$ mypid=`bwrap-oci list | tail -n 1 | awk '{print $2}'
$ nsenter -a -t $mypid /bin/sh
nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted
$ sudo nsenter -a -t $mypid /bin/sh
nsenter: failed to execute /bin/sh: No such file or directory


why do I need to be root to join using nsenter with runc
and why bwraps failed even if I'm root










On Mon, Mar 5, 2018 at 1:23 PM, Giuseppe Scrivano 
wrote:

> Muayyad AlSadi  writes:
>
> > it seems there is no bwrap-oci exec and nsenter does not work as regular
> user.
> >
> > how to enter an existing user name space just like "runc exec redis
> /bin/sh" using bubble wrap or nsenter?
>
> exec is not implemented yet.  The easiest way to workaround this
> limitation is to use directly "nsenter -a".
>
> Regards,
> Giuseppe
>

Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-03-05 Thread Giuseppe Scrivano 
Muayyad AlSadi  writes:

> it seems there is no bwrap-oci exec and nsenter does not work as regular user.
>
> how to enter an existing user name space just like "runc exec redis /bin/sh" 
> using bubble wrap or nsenter?

exec is not implemented yet.  The easiest way to workaround this
limitation is to use directly "nsenter -a".

Regards,
Giuseppe

Re: [atomic-devel] how to try combining skopeo+ostree+bwrap-oci

2018-03-05 Thread Muayyad AlSadi 
it seems there is no bwrap-oci exec and nsenter does not work as regular
user.

how to enter an existing user name space just like "runc exec redis /bin/sh"
using bubble wrap or nsenter?


On Sun, Feb 25, 2018 at 10:58 PM, Muayyad AlSadi  wrote:

> > is this still broken with my PR?
>
> no, your PR and branch works fine, please merge it
>
> > if you are interested to put this blog post in the perspective of how
> the atomic CLI works and explains its internals as you did, I can help you
> with the review and we could publish it on: http://www.projectatomic.io/bl
> og/.
> > What do you think?
>
> I'm in.
>
>
>
> On Sun, Feb 25, 2018 at 7:41 PM, Giuseppe Scrivano 
> wrote:
>
>> Muayyad AlSadi  writes:
>>
>> > here is my blog post
>> >
>> > https://bcksp.blogspot.com/2018/02/diy-docker-using-skopeoos
>> treerunc.html
>>
>> if you are interested to put this blog post in the perspective of how
>> the atomic CLI works and explains its internals as you did, I can help
>> you with the review and we could publish it on:
>> http://www.projectatomic.io/blog/.
>>
>> What do you think?
>>
>> Thanks,
>> Giuseppe
>>
>
>