diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2019-03-31 10:49:21 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2019-04-05 08:10:47 -0400 |
commit | a5c4fcb02244cb06ab64c9f18b7b1247406a2d32 (patch) | |
tree | 0d6ccb01416c4a9ed87c4627b16111d0cb75651f | |
parent | e73bc58ace00573fd221477bde2c5d285e2b795d (diff) | |
download | podman-a5c4fcb02244cb06ab64c9f18b7b1247406a2d32.tar.gz podman-a5c4fcb02244cb06ab64c9f18b7b1247406a2d32.tar.bz2 podman-a5c4fcb02244cb06ab64c9f18b7b1247406a2d32.zip |
Document shortcomings with rootless podman
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | rootless.md | 41 |
2 files changed, 43 insertions, 0 deletions
@@ -29,6 +29,8 @@ This project tests all builds against each supported version of Fedora, the late 1. Further work on the podman pod command 1. Further improvements on rootless containers +## [Shortcomings of Rootless Podman](https://github.com/containers/libpod/blob/master/docs/rootless.md) + ## Out of scope * Specializing in signing and pushing images to various storage backends. diff --git a/rootless.md b/rootless.md new file mode 100644 index 000000000..d397ae857 --- /dev/null +++ b/rootless.md @@ -0,0 +1,41 @@ +# Shortcomings of Rootless Podman + +The following list categorizes the known issues and irregularities with running Podman as a non-root user. Although currently functional, there is still a number of work items that are under consideration to be added. These proposed changes are in varying degrees of design and development. + +Contributors are more than welcomed to help with this work. If you decide to carve off a piece and work on it, please create an issue in [GitHub](https://github.com/containers/libpod/issues), and assign it to yourself. If you find other unexpected behaviour with rootless Podman and feel it’s warranted, please feel free to update this document. + +* Podman can not create containers that bind to ports < 1024. + * The kernel does not allow processes without CAP_NET_BIND_SERVICE to bind to low ports. +* Lacking “How To” documentation or documentation in general +* If /etc/subuid and /etc/subgid not setup for a user, then podman commands +can easily fail + * This can be a big issue on machines using Network Based Password information (FreeIPA, Active Directory, LDAP) + * We are working to get support for NSSWITCH on the /etc/subuid and /etc/subgid files. +* No cgroup Support (hopefully fixed when cgroups V2 happens). + * Cgroups V1 does not safely support cgroup delegation. + * Cgroups V2 development for container support is ongoing. +* Can not share container images with CRI-O or other users +* Difficult to use additional stores for sharing content +* Does not work on NFS homedirs + * NFS enforces file creation on different UIDs on the server side and does not understand User Namespace. + * When a container root process like YUM attempts to create a file owned by a different UID, NFS Server denies the creation. +* Does not work with homedirs mounted with noexec/nodev + * User can setup storage to point to other directories they can write to that are not mounted noexec/nodev +* Can not use overlayfs driver, but does support fuse-overlayfs + * Ubuntu supports non root overlay, but no other Linux distros do. +* Only other supported driver is VFS. +* No KATA Container support +* No CNI Support + * CNI wants to modify IPTables, plus other network manipulation that I requires CAP_SYS_ADMIN. + * There is potential we could probably do some sort of blacklisting of the relevant plugins, and add a new plugin for rootless networking - slirp4netns as one example and there may be others +* Cannot use ping + * [(Can be fixed by setting sysctl on host)](https://github.com/containers/libpod/blob/master/troubleshooting.md#5-rootless-containers-cannot-ping-hosts) +* Requires new shadow-utils (not found in older (RHEL7/Centos7 distros) Should be fixed in RHEL7.7 release +* A few commands do not work. + * mount/unmount (on fuse-overlay) + * Only works if you enter the mount namespace with a tool like buildah unshare + * podman stats (Lack of Cgroup support) + * Checkpoint and Restore (CRIU requires root) + * Pause and Unpause (no freezer cgroup) +* Issues with higher UIDs can cause builds to fail + * If a build is attempting to use a UID that is not mapped into the user namespace mapping for a container, then builds will not be able to put the UID in an image. |