Rootless containers refers to the ability for an unprivileged user to create, run and otherwise manage containers. This term also includes the variety of tooling around containers that can also be run as an unprivileged user. The goal of this website is to catalogue all of the open questions and unresolved issues that need to be solved to bring us closer to rootless containers “for all”.
“Unprivileged user” in this context refers to a user who does not have any administrative rights, and is “not in the good graces of the administrator” (in other words, they do not have the ability to ask for more privileges to be granted to them, or for software packages to be installed).
The objectives of this project are to allow an unprivileged user to:
O0) Create, run, and manage containers on their local machine.
O1) Create, modify, distribute, and extract container images on their local machine so they may run said container images though (
O2) Create, manage, and use a container orchestrator on either their local machine (effective a single-node cluster) or on a set of machines they would ordinarily be able to communicate with and run unprivileged programs on.
While security is not a primary objective of this project (the goal is user enablement), the intention is that any kernel-level improvements required to facilitate this project will involve collaboration with the Linux Container Hardening Project. We hope that the end result is that rootless containers will be secure as well as useful, thus allowing enterprises to support this usage of containers.
This is a living document, as is maintained by humans. If you wish to add more entries to this list, or have an update on a particular section, please open a pull request.
- Support rootless containers in a standardised container runtime.
- Support checkpointing and restoring containers in a standard container runtime. This is separate from the “standardised container runtime” requirement because it is an auxilliary feature, and is a more generic problem.
- Support rootless containers in an orchestration engine’s container runtime. “Container runtime” in this context contains more features and tasks than the technically precise definition would include.
- Write some documentation for users about how
they can use rootless containers. It would be really nice if we had some
allegory for Jessie’s awesome
dockerfilesrepo but using rootless containers (she actually uses them as well but some more descriptive documentation would really help).
cgroupsare not supported, because on the kernel side, unprivileged subtree management has not been implemented. After some discussions with the maintainer of
cgroupsis appears that there are some fundamental disagreements on the importance of unprivileged subtree management (and some of the API decisions made in the past make it difficult to implement). This restricts how many things a user can do with containers (
resumeare not implemented, for example).
criusupports unprivileged dumping (
restoreis not supported and the
checkpointing aspects have not been well tested in the context of rootless containers.
Network namespaces aren’t used in most cases because currently unprivileged network namespaces are not very useful (in the standard usage of containers) because a new network namespace doesn’t have any network interfaces (other than
lo). The standard way of linking network namespaces (
vethbridges) requires privileges in the host, which is not available in rootless containers. Some ideas for solving this are to implement unprivileged
vethbridges in the kernel, or to implement some sort of unprivileged userspace
vethbridge implementation. The jury is out on this one at the moment, so we just use the host’s network namespace and call it a day.
- Add support to a tool for creating and modifying standardised container images as an unprivileged user.
- Add support to a tool for extracting and manipulating a root filesystem extracted from a standardised container image as an unprivileged user.
- Add support to a tool for
distributing standardised container images as an unprivileged user. Note that
currently the Open Container Initiative does not define a distribution
format, so “distribution” refers to effectively doing
rsyncor something similar. Once distribution is standardised, this requirement will be extended.
- Add support to a tool for building standardised container images as an unprivileged user.
- Add support to a storagedriver implementation to operate as an unprivileged user. This is separate from “extract and manipulate” because the naive implementation (just dump everything to a directory) works in principle but is not as efficient as using filesystem features to reduce the footprint of extracted images.
These requirements are implemented by several different tools, that each solve a piece of the puzzle. These tools can then be combined to create a “full-fledged” implementation of an image store or handler.
Distribution is the simplest problem to solve in this respect, and is
skopeo. In principle an Open Container Initiative
image can just be copied with
skopeo also has several features
related to conversion between different image formats that makes it incredibly
useful for a variety of other tasks.
skopeo does not require privileges for
any of this core functionality (and in fact, is normally used as an
Extraction, modification, and creation are implemented by
main issue with these operations is the limitations of the filesystem as an
unprivileged user, since there are a wide variety of operations that are not
permitted (for security reasons). As a result,
umoci’s rootless support comes
with some caveats:
umociwill recreate the precise (or as close as possible) root filesystem state of the container image as a privileged user, as an unprivileged user certain hacks are required. Examples include creating dummy files in place of device nodes that an unprivileged user cannot create, and forcing everything to be owned by the current unprivileged user. As a result, the results of the image extraction may be counter-inuitive, but a lot of work has gone into reducing the weirdness of these hacks. In addition,
umoci repackis implemented in such a way that it should not (in normal usage) result in an image that has
umoci’s hacks baked into it (if you run an image modified by an unprivileged user as a privileged user it should work normally).
Because of how discretionary access control works,
umocimay have to modify the root filesystem of an extracted image when doing “read-only” operations on the extracted image. This means that root filesystems on
umociis operating on them) may run into issues.
Building of images is implemented by
orca-build, which is a
proof-of-concept wrapper around
skopeo. There are
several other container builder projects which may implement this feature in
the future, but right now
orca-build is fast enough and is quite minimal. It
also has the additional feature of being compatbile with the
format for specifying build steps.
Orchestration is currently the biggest unknown. It’s not quite clear what is complete list of tasks necessary in order to make a container orchestrator run with the majority of its functionality working as an unprivileged user.
- Implement a way for a container networking interface plugin to run as an unprivileged user. This may involve just creating alternative plugins and swapping out the privileged versions.
These tasks do not have much significant progress. However, Cloud Foundry have implemented experimental rootless container support. The downside to their implementation is that it still requires several privileged binaries (thus not making it truly rootless, but it’s a great first step).
There has been some work in this space before, but (to our knowledge) nothing this ambitious. The following are a list of projects that have some kind of rootless container support.
xdg-app) implements parts of a container runtime as an unprivileged user, but to our knowledge it doesn’t implement enough of the Open Container Initiative standard (even with
bwrap-oci) to be a full container runtime.
lxchas implemented quite a substantial portion of rootless containers, but their implementation requires privileged helper binaries to set up
cgroupsand network interfaces. This is a reasonable compromise for a container runtime (and
runc’s solution was to just ignore those usecases) but it still means that practically it’s not possible to use
lxcin a way that would be required by this project.