rkt: `run` as unprivileged user · rkt/rkt#1585

(14 comments) (9 reactions) (0 assignees)Go (8,871 stars) (865 forks)batch import

area/securitycomponent/stage1help wantedkind/enhancement

Description

Recent changes to rkt have allowed us to perform a large subset of rkt commands (image list, fetch, etc) as an unprivileged user. It would be nice if it was possible to do ALL rkt operations this way: the elephant in the room is run, which historically requires root privileges for several operations (chroot, setting up network namespaces).

For the default rkt stage1, this would likely be predicated on systemd-nspawn gaining this ability. Relevant systemd thread: http://lists.freedesktop.org/archives/systemd-devel/2015-February/028024.html

Another option is to explore using unc to create containers: #1318

Contributor guide

Tech stack: go
Domain: infrastructure
Issue type: feature
Difficulty: 5
Estimated time: over 1 week
Activity status: stale
Clarity: mostly clear
Prerequisites: Linux containerssystemdGo programmingsecurity contexts
Newbie friendliness: 10
Research direction: Investigate systemd nspawn's unprivileged container support as noted in the linked systemd thread (http://lists.freedesktop.org/archives/systemd devel/2015 February/028024.html). Also explore alternative approaches like user namespaces or the unc library mentioned in issue #1318. Assess the feasibility of modifying rkt's stage1 to work without root privileges, considering the current state of the repository as the project has ended.