opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-07-02 00:30:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update rootless shortcomings with cgroup V2 information

Browse Source 
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2019-11-01 09:03:01 -04:00
parent 7c7f0000ce
commit 1d707f5fa1
1 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
rootless.md
View File

@ -6,6 +6,7 @@ Contributors are more than welcomed to help with this work. If you decide to ca
* Podman can not create containers that bind to ports < 1024. * Podman can not create containers that bind to ports < 1024.
* The kernel does not allow processes without CAP_NET_BIND_SERVICE to bind to low ports. * The kernel does not allow processes without CAP_NET_BIND_SERVICE to bind to low ports.
* You can modify the `net.ipv4.ip_unprivileged_port_start` sysctl to change the lowest port. For example `sysctl net.ipv4.ip_unprivileged_port_start=443` allows rootless Podman containers to bind to ports >= 443.
* “How To” documentation is patchy at best. * “How To” documentation is patchy at best.
* If /etc/subuid and /etc/subgid are not setup for a user, then podman commands * If /etc/subuid and /etc/subgid are not setup for a user, then podman commands
can easily fail can easily fail
@ -13,11 +14,11 @@ can easily fail
* We are working to get support for NSSWITCH on the /etc/subuid and /etc/subgid files. * We are working to get support for NSSWITCH on the /etc/subuid and /etc/subgid files.
* No cgroup V1 Support * No cgroup V1 Support
* cgroup V1 does not safely support cgroup delegation. * cgroup V1 does not safely support cgroup delegation.
* However, cgroup V2 provides cgroup delegation and is available on Fedora starting with version 29 and other Linux distributions. * As of Fedora 31 defaults to cgroup V2, which has full support of rootless cgroup management. Note this requires the --cgroup-manager within rootless containers to use systemd, which new containers will get by default.
* Some systemd's unit configuration options do not work in the rootless container * Some system unit configuration options do not work in the rootless container
* systemd fails to apply several options and failures are silently ignored (e.g. CPUShares, MemoryLimit). * systemd fails to apply several options and failures are silently ignored (e.g. CPUShares, MemoryLimit). Should work on cgroup V2.
* Use of certain options will cause service startup failures (e.g. PrivateNetwork). * Use of certain options will cause service startup failures (e.g. PrivateNetwork).
* Can not share container images with CRI-O or other users * Can not share container images with CRI-O or other rootfull users
* Difficult to use additional stores for sharing content * Difficult to use additional stores for sharing content
* Does not work on NFS or parallel filesystem homedirs (e.g. [GPFS](https://www.ibm.com/support/knowledgecenter/en/SSFKCN/gpfs_welcome.html)) * Does not work on NFS or parallel filesystem homedirs (e.g. [GPFS](https://www.ibm.com/support/knowledgecenter/en/SSFKCN/gpfs_welcome.html))
* NFS and parallel filesystems enforce file creation on different UIDs on the server side and does not understand User Namespace. * NFS and parallel filesystems enforce file creation on different UIDs on the server side and does not understand User Namespace.
@ -35,9 +36,9 @@ can easily fail
* Requires new shadow-utils (not found in older (RHEL7/Centos7 distros) Should be fixed in RHEL7.7 release) * Requires new shadow-utils (not found in older (RHEL7/Centos7 distros) Should be fixed in RHEL7.7 release)
* A few commands do not work. * A few commands do not work.
* mount/unmount (on fuse-overlay) * mount/unmount (on fuse-overlay)
* Only works if you enter the mount namespace with a tool like buildah unshare * Only works if you enter the mount namespace with podman unshare
* podman stats (Without cgroup V2 support) * podman stats (Works with cgroup V2 support)
* Checkpoint and Restore (CRIU requires root) * Checkpoint and Restore (CRIU requires root)
* Pause and Unpause (no freezer cgroup) * Pause and Unpause (Works with cgroup V2 support)
* Issues with higher UIDs can cause builds to fail * Issues with higher UIDs can cause builds to fail
* If a build is attempting to use a UID that is not mapped into the user namespace mapping for a container, then builds will not be able to put the UID in an image. * If a build is attempting to use a UID that is not mapped into the user namespace mapping for a container, then builds will not be able to put the UID in an image.