what about requiring sudo to do nsenter? (even when using runc rootless)
On Mon, Mar 5, 2018 at 4:09 PM, Giuseppe Scrivano
wrote:
> Muayyad AlSadi writes:
>
> > when using runc
> >
> > $ mypid=`runc list | tail -n 1 | awk '{print $2}'`
> > $ nsenter -a
Muayyad AlSadi writes:
> when using runc
>
> $ mypid=`runc list | tail -n 1 | awk '{print $2}'`
> $ nsenter -a -t $mypid /bin/sh
> nsenter: reassociate to namespace 'ns/cgroup' failed: Operation not permitted
> $ sudo nsenter -a -t $mypid /bin/sh
> # worked fine
>
> but when
when using runc
$ mypid=`runc list | tail -n 1 | awk '{print $2}'`
$ nsenter -a -t $mypid /bin/sh
nsenter: reassociate to namespace 'ns/cgroup' failed: Operation not
permitted
$ sudo nsenter -a -t $mypid /bin/sh
# worked fine
but when using bwraps
$ mypid=`bwrap-oci list | tail -n 1 | awk
Muayyad AlSadi writes:
> it seems there is no bwrap-oci exec and nsenter does not work as regular user.
>
> how to enter an existing user name space just like "runc exec redis /bin/sh"
> using bubble wrap or nsenter?
exec is not implemented yet. The easiest way to workaround
it seems there is no bwrap-oci exec and nsenter does not work as regular
user.
how to enter an existing user name space just like "runc exec redis /bin/sh"
using bubble wrap or nsenter?
On Sun, Feb 25, 2018 at 10:58 PM, Muayyad AlSadi wrote:
> > is this still broken with my
Muayyad AlSadi writes:
> here is my blog post
>
> https://bcksp.blogspot.com/2018/02/diy-docker-using-skopeoostreerunc.html
if you are interested to put this blog post in the perspective of how
the atomic CLI works and explains its internals as you did, I can help
you with the
Muayyad AlSadi writes:
>> Please use the original config.json file you get with 'runc spec --rootless'
>> and change only the process/args there.
>
> that did not work,
is this still broken with my PR?
Giuseppe
> Please use the original config.json file you get with 'runc spec
--rootless' and change only the process/args there.
that did not work,
> that won't work, you need to specify the mounts. Have you tried with
bwrap-oci from the PR I've opened?
I'm using this
$ rpm -q bwrap-oci
Muayyad AlSadi writes:
> no, it did not work for me
>
> I've removed the entire mount section
>
> "mounts": [ ],
that won't work, you need to specify the mounts. Have you tried
with bwrap-oci from the PR I've opened?
Please use the original config.json file you get with
no, it did not work for me
I've removed the entire mount section
"mounts": [ ],
I tried to only remove the sys/none item in mounts,
it got stuck (no output, no error message and on another terminal it would
be running)
the following
bwrap-oci --dry-run run delme
gives
/usr/bin/bwrap
Hi Muayyad,
Muayyad AlSadi writes:
> here is my blog post
>
> https://bcksp.blogspot.com/2018/02/diy-docker-using-skopeoostreerunc.html
That is definitely a great blog post! It is a very good explanation of
how the atomic CLI works for a non root user.
> the error in
here is my blog post
https://bcksp.blogspot.com/2018/02/diy-docker-using-skopeoostreerunc.html
the error in "bwrap-oci run"
bwrap-oci: unknown mount type none
was because of type none in /sys
"mounts": [
...
{
"destination": "/sys",
"type": "none",
after that, the following worked
cd cont1
runc spec
runc run myname
I also tried "runc spec --rootless" and it worked but bwrap-oci did not
$ bwrap-oci run
bwrap-oci: unknown mount type none
On Fri, Feb 23, 2018 at 1:33 AM, Muayyad AlSadi wrote:
> ostree checkout
ostree checkout ociimage/nginx_3Alatest cont1
cat cont1/manifest.json | jq '.layers[]|.digest' | sed -re 's/"//g' | cut
-d ':' -f 2 | while read a; do echo ostree checkout --union ociimage/$a
cont1/rootfs; done
what's next?
On Fri, Feb 23, 2018 at 12:18 AM, Muayyad AlSadi
hi,
I'm running fedora as regular user
and I wonder how can I use skopeo+ostree+bwrap-oci to run a docker image
using bwrap-oci having files stored as ostree
$ mkdir ostree
$ cd ostree
$ ostree init --mode=bare-user --repo=$PWD
$ skopeo copy docker://redis:alpine ostree:redis@$PWD
$ skopeo copy
15 matches
Mail list logo