crun icon indicating copy to clipboard operation
crun copied to clipboard
verified publisher icon containers

runc configuration on rootless startup

Open utezduyar opened this issue 2 months ago • 3 comments

I am starting my container by an unprivileged user which has subid, subgid mappings. The user is dynamic. The mappings have to be put on the config.json and I have a script for this which updates the existing config.json file.

What are the thoughts on passing the subuid, subgid mappings to runc dynamically?

Option 1 can be that they are part of the command line argument to the create.

Option 2 can be that they are part of the command line argument to the spec argument. The spec argument already takes 1 option today (--rootless).

utezduyar avatar Oct 22 '25 08:10 utezduyar

the spec command is quite crude and it only writes a template file with some basic configuration.

What is the difficulty to filter it after it has been written out to disk with some external tool (e.g. jq)?

giuseppe avatar Oct 22 '25 08:10 giuseppe

It is not difficult but more that a step that has to be performed regardless. This is purely for convenience. Maybe the tooling reads out the sub files and uses them by default, again just for the convenience.

utezduyar avatar Oct 24 '25 07:10 utezduyar

What is the difficulty to filter it after it has been written out to disk with some external tool (e.g. jq)?

In this specific case, jq is available, but that is not always the case in a small close-to-the-metal system where one would opt to use crun rather than a chunkier container runtime higher up in the stack. It could certainly be argued that "use sed then", but I reckon for running rootless containers in a contemporary way, setting the id as @utezduyar suggests is something you would want/need to do every time you set up your spec.

joakimr-axis avatar Oct 24 '25 07:10 joakimr-axis