nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard

Published 20 hours ago verified publisher icon containerd

non-privileged run nerdctl inside Docker

Open elgalu opened this issue 3 years ago • 3 comments

What is the problem you're trying to solve

Currently --privileged is needed to run nerdctl inside Docker https://github.com/containerd/nerdctl/blob/9033fb9a17add2029fa9fda0f796abe1d9c7a677/README.md?plain=1#L138-L142

Describe the solution you'd like

To be able to run nerdctl inside a K8s pod without privileged access.

Additional context

No response

elgalu avatar Jun 14 '22 15:06 elgalu

For now, the description in README.md (To run containerd and nerdctl inside Docker ) just represents that the containerd service needs privileged (You can see the Dockerfile). The --privileged is not needed for the nerdctl binary.

So if you want to run nerdctl binary in the K8S pod, just ensure that the binary can access the containerd's Unix socket.

Zheaoli avatar Jun 14 '22 15:06 Zheaoli

just ensure that the binary can access the containerd's Unix socket.

No, it will not work as expected because nerdctl and containerd have to share the same filesystem. And yet exposing the socket equates to --privileged as you can create a privileged container.

AkihiroSuda avatar Jun 15 '22 06:06 AkihiroSuda

Probably we can follow the design of diuid although extremely slow https://github.com/weber-software/diuid

AkihiroSuda avatar Jun 15 '22 06:06 AkihiroSuda