Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make-dind is a new image for rootless dind-enabled Prow jobs #655

Closed
wants to merge 2 commits into from
Closed

make-dind is a new image for rootless dind-enabled Prow jobs #655

wants to merge 2 commits into from

Conversation

maelvls
Copy link
Member

@maelvls maelvls commented Apr 1, 2022
edited
Loading

See #656

To test it yourself locally, you will have to configure your CRI so that it runs as non-root:

Then, build the dind image (choose the correct command):

nerdctl build -t local/make-dind -f images/make-dind/Dockerfile ./images/make-dind
docker build -t local/make-dind -f images/make-dind/Dockerfile ./images/make-dind

Finally, run the image:

nerdctl run -it --privileged -v /tmp:/tmp --tmpfs /var/lib/containerd local/make-dind bash
docker run -it --privileged -v /tmp:/tmp --tmpfs /var/lib/containerd local/make-dind bash

You should get a prompt. Try to run a container:

nerdctl run alpine ls

⚠️ The following warning can be ignored:

WARN[0002] default network named "bridge" does not have an internal nerdctl ID or nerdctl-managed config file, it was most likely NOT created by nerdctl

Why --privileged when we want a rootless container? The container requires a number of capabilities to configure cgroups for the child containers and such.

@jetstack-bot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jetstack-bot jetstack-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Apr 1, 2022
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 1, 2022
@inteon
Copy link
Member

inteon commented Mar 27, 2023
edited
Loading

This is how I was able to run the image on my machine (based on https://docs.docker.com/engine/security/userns-remap/):

  1. update /etc/docker/daemon.json and add "userns-remap": "default"
  2. reboot my system (just restarting containerd didn't seem to do the trick)

@maelvls
work around nerdctl's default network issue
2ccdd85 
In this PR, I added a CNI configuration so that containerd stops
complaining about not being able to load the CNI plugin. The message
was:

  failed to load cni during init, please check CRI plugin status before
  setting up network for pods  error="cni config load failed: no network
  config found in /etc/cni/net.d: cni plugin not initialized: failed to load cni config"

The cni.json file is picked up by nerdctl as a network:

  root@8deca99e60b5:/# nerdctl network ls
  NETWORK ID    NAME      FILE
                bridge    /etc/cni/net.d/nerdctl-bridge.conflist
                host
                none

It is important to use the name "bridge" in the CNI configuration, ie.,
you should see:

  {
    "cniVersion": "1.0.0",
    "name": "bridge",
    ...
  }

Otherwise, nerdctl will try to create another bridge network, and you
will get the following error message:

  FATA[0002] failed to create default network: subnet 10.4.0.0/24 overlaps with other
  one on this address space

The following warning can be ignored:

  WARN[0002] default network named "bridge" does not have an internal nerdctl ID or
  nerdctl-managed config file, it was most likely NOT created by nerdctl

Signed-off-by: Maël Valais <[email protected]>
@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 27, 2023
@maelvls
Copy link
Member Author

maelvls commented Mar 27, 2023

Everything in this PR is pointless: we don't have control over the CRI!! Since we are using GKE and that the GKE CRI is root, there is no point in trying to make our container image "rootless-ready" when the CRI will run as root anyways...

@maelvls maelvls closed this Mar 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maelvls @jetstack-bot @inteon