Support rootful containers in finch #196
Assignees
Labels
enhancement
New feature or request
Comments
|
We can either add an config to support rootful mode or switch to rootful mode by default. That needs us to weigh the pros and cons between rootful/rootless. About the pros of rootful over rootless, other than #186, #176 may also be resolved by switching to rootful mode. They need to be further validated in new e2e tests. |
|
This should also be resolved. #32 |
1 task
vsiravar
added a commit
to runfinch/common-tests
that referenced
this issue
Feb 28, 2023
Issue #, if available: runfinch/finch#196 *Description of changes:* Use nginx server for testing port publish(`-p/--publish`) flag in the run command instead of [busybox netcat](https://busybox.net/downloads/BusyBox.html#nc). This is due to the fact that the cni gateway in rootful makes a request to the netcat server running in the container and closes the connection which causes netcat to exit before a client on the host can make a connection to it. *Testing done:* Yes. - [X] I've reviewed the guidance in CONTRIBUTING.md #### License Acceptance By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. Signed-off-by: Vishwas Siravara <vsiravara@gmail.com>
vsiravar
added a commit
that referenced
this issue
Mar 1, 2023
Issue #, if available: Fixes #196 *Description of changes:* Change finch vm configuration to support rootful containers. Opening a draft PR to get early feedback while investigating lima-vm/lima#1376. *Testing done:* 2 e2e tests are failing due to lima-vm/lima#1376. ### Additional tests for persistent disk feature to persist volumes and networks after vm is reinitialized ### Test for additonal_disk #### Retains volumes after vm is restarted ``` $ finch vm stop && finch vm remove && finch vm init $ finch run --name test-container -v ~/workplace:/workplace alpine ls /workplace testfiles $ finch vm stop && finch vm remove && finch vm init $ finch start --attach test-container testfiles ``` #### Retains created network after vm is reinitialized ``` $ finch vm stop && finch vm remove && finch vm init $ finch network create my-bridge-network-1 756c515526ed29831c59d9f7d1b1142ec3e440b19096dc224ee25e9a883d00c1 $ finch network ls NETWORK ID NAME FILE 17f29b073143 bridge /etc/cni/net.d/nerdctl-bridge.conflist d2f8cc31a256 my-bridge-network-1 /etc/cni/net.d/nerdctl-my-bridge-network-1.conflist ce498ce9f1f0 my-bridge-network /etc/cni/net.d/nerdctl-my-bridge-network.conflist $ finch vm stop && finch vm remove && finch vm init $ finch network ls NETWORK ID NAME FILE 17f29b073143 bridge /etc/cni/net.d/nerdctl-bridge.conflist d2f8cc31a256 my-bridge-network-1 /etc/cni/net.d/nerdctl-my-bridge-network-1.conflist ce498ce9f1f0 my-bridge-network /etc/cni/net.d/nerdctl-my-bridge-network.conflist # Connect container to the network $ finch run --network my-bridge-network-1 alpine ``` ### Tests for persisting images, containers, networks and volumes between rootless and rootful. #### Test setup 1. Install finch 0.4.0 from Installer(rootless). 2. Create images, containers, networks and volumes. ``` $ finch pull alpine $ finch run alpine $ finch network create rootless-network $ finch run --name test-container -v ~/workplace:/workplace alpine ls /workplace $ finch images REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE alpine latest 69665d02cb32 2 minutes ago linux/arm64/v8 7.8 MiB 3.1 MiB $ finch ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1a1684bba87e docker.io/library/alpine:latest "/bin/sh" 2 minutes ago Exited (0) 2 minutes ago alpine-1a168 924bd7b54549 docker.io/library/alpine:latest "ls /workplace" About a minute ago Exited (0) About a minute ago ``` 3. Stop and remove vm. 4. Build finch from this branch(rootful) and replace the finch binary under /Applications/Finch/bin/. 5. Edit /Applications/Finch/os/finch.yaml with finch.yaml file from this branch. 6. Start the vm and check its running in rootful mode. ``` $ LIMA_HOME=/Applications/Finch/lima/data /Applications/Finch/lima/bin/limactl shell finch $ ps aux | grep containerd root 1595 0.0 0.4 757868 33160 ? Ssl 17:41 0:00 /usr/local/bin/containerd-stargz-grpc --log-level=debug --config=/etc/containerd-stargz-grpc/config.toml root 1720 0.3 0.5 1419508 42832 ? Ssl 17:41 0:00 /usr/local/bin/containerd root 1911 0.0 0.1 720460 9640 ? Sl 17:41 0:00 /usr/local/bin/containerd-shim-runc-v2 -namespace finch -id 1a1684bba87ea1d5a73285ae29ad890c91c27f74a9c7c43f236d34245fa4cc5c -address /run/containerd/containerd.sock root 2142 0.0 0.1 720716 10284 ? Sl 17:42 0:00 /usr/local/bin/containerd-shim-runc-v2 -namespace finch -id ``` 7. Run tests ``` $ finch images REPOSITORY TAG IMAGE ID CREATED PLATFORM SIZE BLOB SIZE alpine latest 69665d02cb32 10 minutes ago linux/arm64/v8 7.8 MiB 3.1 MiB $ finch ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1a1684bba87e docker.io/library/alpine:latest "/bin/sh" 10 minutes ago Created alpine-1a168 924bd7b54549 docker.io/library/alpine:latest "ls /workplace" 10 minutes ago Created test-container $ finch start 1a1684bba87e 1a1684bba87e $ finch network ls NETWORK ID NAME FILE 17f29b073143 bridge /etc/cni/net.d/nerdctl-bridge.conflist 4b2aad24cab9 rootless-network /etc/cni/net.d/nerdctl-rootless-network.conflist host none ``` $ finch start --attach test-container finch ``` - [X] I've reviewed the guidance in CONTRIBUTING.md #### License Acceptance By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Signed-off-by: Vishwas Siravara <siravara@amazon.com> Signed-off-by: Vishwas Siravara <vsiravara@Vishwass-MacBook-Air.local> Signed-off-by: Vishwas Siravara <vsiravara@gmail.com> Co-authored-by: Vishwas Siravara <vsiravara@Vishwass-MacBook-Air.local>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is the problem you're trying to solve?.
Currently finch runs containers in rootless mode using nerdctl and containerd. This prevents users to set
memlockin compose yml.Describe the feature you'd like
Finch should support rootful mode.
Additional context
Rootless container: A rootless container is a container that could be run without root privileges in the host.
Rootful container: A rootful container is a container run by root in the host. Since the container is run by root, it has access to all the functionality that root has.
GitHub issue related to memlock:
#186
The text was updated successfully, but these errors were encountered: