meta-fuse-csi-plugin
meta-fuse-csi-plugin copied to clipboard
[Discuss] unprivileged rootful podman in kubernetes
Having read about different ways of operating podman in various environments, it certainly feels like getting this CSI project to work with podman in unprivileged container in kubernetes would be a very interesting and strong use case which will benefit many.
The challenge ahead may be getting the fusermount proxy to somehow βworkβ with fuse-overlayfs when podman is configured to use overlay as the storage driver. And currently without granting SYS_ADMIN rootful podman simply does not work in a unprivileged container in a kubernetes pod.
π Hi, @saschagrunert and @giuseppe. Is there currently any reference or something on running Podman within pods without privileged:true
?
We have started the project to run fuse without requiring privileges within pods. It seems like it would be worthwhile to use this project to run fuse-overlayfs
to run rootless podman.
FYI: We need to take the rootless network and some system calls(mount(2)) into consideration.
It seems fuse-overlayfs calls low-level api fuse_session_mount
and it calls fusermount3 in fuse_kern_mount
.
https://github.com/containers/fuse-overlayfs/blob/18f4d6768ab2178f0147c1bac0ccfd7d44841a56/main.c#L5883C7-L5883C25
https://github.com/libfuse/libfuse/blob/3f6cf537b77597d89bebd8387e93d4e42428b966/lib/fuse_lowlevel.c#L3179
I think this plugin can mount fuse-overlayfs, but its mount destination is statically defined in pod's manifest. AFAIK, Podman requires fuse-overlayfs to be mounted to each container's directory and the directories are dynamically specified. Current meta-fuse-csi-plugin cannot handle such dynamic behavior.
π Hi, @saschagrunert and @giuseppe. Is there currently any reference or something on running Podman within pods without
privileged:true
? We have started the project to run fuse without requiring privileges within pods. It seems like it would be worthwhile to use this project to runfuse-overlayfs
to run rootless podman.
in this case you'd need to be able to create a user namespace. Podman can run in a pod without privileges as long as /proc
is unmasked and it can create a user namespace. Without an unmasked /proc
it is only able to build container images with --isolation=chroot
)
π I didn't know --isolation=chroot
. Thanks ;)
Without an unmasked /proc it is only able to build container images with --isolation=chroot)