binfmt icon indicating copy to clipboard operation
binfmt copied to clipboard

Published 20 hours ago verified publisher icon tonistiigi

Running Rootless

Open adamsmd opened this issue 3 years ago • 3 comments

This may be an incredibly naive question, but is there a way this container could be modified to work in rootless mode?

The main issue seems to be mount at https://github.com/tonistiigi/binfmt/blob/eed5db1b8e2068e143291120f516bc8307f28569/cmd/binfmt/main.go#L182, but I don't know enough to know if there is an alternative to doing that mount.

The reason I am interested in this is that I am using act to develop my GitHub Actions. I would like to run it rootless, and some of my actions call the docker/setup-qemu-action GitHub Action, which in turn uses tonistiigi/binfmt at https://github.com/docker/setup-qemu-action/blob/10348241d3ea2d30357b172897afc31824ea2e2e/src/main.ts#L30.

adamsmd avatar Jan 09 '22 05:01 adamsmd

Currently no, but this kernel patch binfmt_misc: enable sandboxed mounts may work https://lkml.org/lkml/2021/12/16/407

AkihiroSuda avatar Jan 09 '22 05:01 AkihiroSuda

So this means all emulated containers will run as root?

FerLuisxd avatar Aug 13 '22 08:08 FerLuisxd

So this means all emulated containers will run as root?

No. The root privilege is needed only for registering QEMU into the kernel.

AkihiroSuda avatar Aug 13 '22 09:08 AkihiroSuda