Systemd requirement for running rootless containers

[afbjorklund]

Currently systemd is required for installing containerd with lima:

ERRO[0016] [1 error occurred:
	* failed to satisfy the optional requirement 1 of 2 "systemd must be available": systemd is required to run containerd, but does not seem to be available.
Make sure that you use an image that supports systemd. If you do not want to run
containerd, please make sure that both 'container.system' and 'containerd.user'
are set to 'false' in the config file.

Should we make another OpenRC service, that drops privileges ?

/etc/init.d/S60buildkitd
/etc/init.d/S60containerd

(there seems to be a small typo in containerd.system as well)

---

Everything runs fine with sudo nerdctl. It also enables faster builds.

Just wonder if supporting rootless would be a "requirement"/desire ?

I've packaged shadow, so mostly fuse-overlayfs and slirp4netns left...

The services would start as root, and then change to use UID 1000.

https://forums.gentoo.org/viewtopic-t-1040726-start-0.html

Usage: start-stop-daemon [options] 

  -u, --user <arg>                  Change the process user

Then it could be included in cloud-init, which variant to start (root/user)

[afbjorklund]

Something like:

# rc-service containerd-rootless start
# rc-service buildkitd-rootless start

And then it was something about FreeDesktop (xdg) and logins...

• XDG_RUNTIME_DIR (/etc/profile.d/xdg_runtime_dir.sh)
• linger

[AkihiroSuda]

Just wonder if supporting rootless would be a "requirement"/desire ?

Actually rootless is not a hard requirement.
Currently alpine-lima image isn’t configured to support rootless.

lima/examples/alpine.yaml

Line 18 in afe1059

user: false

[afbjorklund]

I did notice it was an optional requirement.

Just wonder if it would be a "nice feature", even if docker-machine ran fine without it...
I enabled it for podman-machine*, but I'm not sure the feature was "needed" (in a VM)

* https://github.com/boot2podman/boot2podman/blob/master/building_rootless.md

[afbjorklund]

I currently use:

containerd:
  system: false
  user: false 

Since system containerd is installed using packages, instead of the extra tarball.
Main downside being the slightly older version of containerd (1.4 instead of 1.5)

BR2_PACKAGE_CONTAINERD=y

https://github.com/buildroot/buildroot/tree/2021.08.x/package/containerd

i.e. more similar to how it works for "docker.yaml" and "podman.yaml" examples

[afbjorklund]

I made some initial attempts, using the scripts from nerdctl and readmes...

• containerd-rootless.sh (https://github.com/containerd/containerd/blob/main/docs/rootless.md)

https://github.com/containerd/nerdctl/blob/master/extras/rootless/containerd-rootless.sh

• buildkitd-rootless.sh (https://github.com/moby/buildkit/blob/master/docs/rootless.md)

#!/bin/sh
exec rootlesskit --net=slirp4netns --copy-up=/etc --disable-host-loopback buildkitd $@

The rootlesskit requirement was a bit underdocumented, but easy to add.

[jandubois]

The services would start as root, and then change to use UID 1000.

Why is this necessary? Why not run the service under the user LIMA_CIDATA_USER from the start? We used to run the guestagent that way before we switched it to root to be able to run iptables: https://github.com/lima-vm/lima/blob/06e35a6/pkg/cidata/cidata.TEMPLATE.d/boot/25-guestagent-base.sh#L37

[afbjorklund]

Why not run the service under the user LIMA_CIDATA_USER from the start?

But I want to be able to run both normal (root) and rootless containers.

There is plenty of complexity and hacks in the userspace implementation,
and still missing features like proper networking and building to containerd
The overlayfs got a little better in later kernels (no more fuse-overlayfs),
but if anything I would tend to leave the rootless containers as an add-on...

Anyway, it can stay root-by-default and systemd-only in upstream distribution.

I think I updated the list of required programs, so now it's more the uid/gid mapping.
(it was a fairly short list: xdg_runtime_dir, rootlesskit, fuse-overlays, slirp4netns)
Supposedly one could add xinetd-openrc and "start" all of them, like systemd socket ?
But for now, I think I will just start both of them (root) at boot and leave the other two.

[afbjorklund]

Got it working now, at least when using the scripts and nerdctl...

$ containerd-rootless.sh &
$ nerdctl info
$ buildkitd-rootless.sh &
$ nerdctl build .

The init scripts, or ctr and buildctl, are not working quite yet though.

[afbjorklund]

Using system (root) only for now, and require systemd for user (rootless) containers.

I don't have a use case that is not fine with using the supported scripts from nerdctl...

/usr/local/bin/containerd-rootless-setuptool.sh

/usr/local/bin/containerd-rootless.sh