I confirmed I can create crictl pods and containers with rootless crun + containerd + cgroup2.
However, creating a "privileged" container (which is not really privileged) fails with setrlimit (RLIM_MEMLOCK): Operation not permitted. This error is not reproducible with docker (podman) run --privileged.
Repro
https://github.com/AkihiroSuda/critest-rootless-cgroup2/tree/v0.0.2
$ git clone https://github.com/AkihiroSuda/critest-rootless-cgroup2.git
$ cd critest-rootless-cgroup2
$ git checkout v0.0.2
$ ./bin-download.sh
$ cp -f /usr/local/bin/crun ./bin/crun
$ ./containerd.sh
Make sure a non-privileged container can be created:
$ ./run.sh crun
+ RUNTIME=crun
++ ./crictl.sh pods -q
+ [[ -n '' ]]
++ ./crictl.sh run --runtime=crun container-config.json pod-config.json
+ id=24c63a15fa18152acc378511c08680cc1383cfa1262e4fbb7688b858ce711e81
+ ./crictl.sh exec -it 24c63a15fa18152acc378511c08680cc1383cfa1262e4fbb7688b858ce711e81 sh
/ # echo hi
hi
/ # exit
But a privileged container fails:
$ vi pod-config.json container-config.json
$ git diff
diff --git a/container-config.json b/container-config.json
index fd33c47..0e4401b 100644
--- a/container-config.json
+++ b/container-config.json
@@ -11,7 +11,7 @@
"log_path":"my-container.log",
"linux": {
"security_context": {
- "privileged": false
+ "privileged": true
},
"resources": {
"cpu_shares": 128,
diff --git a/pod-config.json b/pod-config.json
index 92b8c62..2dd0548 100644
--- a/pod-config.json
+++ b/pod-config.json
@@ -9,7 +9,7 @@
"linux": {
"cgroup_parent": "user.slice",
"security_context": {
- "privileged": false
+ "privileged": true
}
}
}
$ ./run.sh crun
+ RUNTIME=crun
++ ./crictl.sh pods -q
+ [[ -n '' ]]
++ ./crictl.sh run --runtime=crun container-config.json pod-config.json
FATA[0002] Running container failed: starting the container "769dab3af2de88a7c70c49d67a7985f9fc3e7f592f4bf5094047c6427c70eb03" failed: rpc error: code = Unknown desc = failed to create containerd task: OCI runtime create failed: setrlimit (RLIM_MEMLOCK): Operation not permitted: unknown
+ id=Fails on crun v0.13 and crun a4f4fb9 . (Doesn't work with runc either, due to a different error).
Host: Ubuntu 20.04.
I confirmed I can create
crictlpods and containers with rootless crun + containerd + cgroup2.However, creating a "privileged" container (which is not really privileged) fails with
setrlimit (RLIM_MEMLOCK): Operation not permitted. This error is not reproducible withdocker (podman) run --privileged.Repro
https://github.com/AkihiroSuda/critest-rootless-cgroup2/tree/v0.0.2
Make sure a non-privileged container can be created:
But a privileged container fails:
Fails on crun v0.13 and crun a4f4fb9 . (Doesn't work with runc either, due to a different error).
Host: Ubuntu 20.04.