Unprivileged containers with PRoot #160
Comments
|
Hi, I am a student from Bangalore, India. I tinkered a little with PRoot (as well as fakechroot/fakeroot) around 3 years ago, it was to run debian CLI on an Android 5 phone :). This proposal seemed interesting. I am curious whether there is a specific use case for this, however, because user namespace for rootless container seems to have become common these days. |
|
PRoot is a general purpose tool. However, there are two main use cases that I've seen:
I think adding support for OCI containers would increase productivity for PRoot users, since they wouldn't need to manually find and download/setup their own rootfs images. However, since this is implemented as an extension, we would end up with support for both. |
|
Thanks for the perspective. I guess it can also be used to create build environments, depending on overhead of proot itself. OCI Spec seems quite big, which parts are left to implement? |
We're actually doing that here with the PRoot multiarch binaries: https://gitlab.com/proot/proot-static-multiarch
To be honest, I'm not sure how rootless-containers relates to the OCI specification. It might be good to document that as part of a research step in your proposal. |
|
I am looking at OCI runtime spec. On surface it seems:
seeing This is just what I guess from surface, I guess it will involve implementing some missing features, before that we will have to evaluate which of the features are relevant to use case. And then testing. |
|
This is great. I think you're moving in the right direction.
I think we need to clarify the scope for A) PRoot and B) Our potential GSoC project. I don't think we need to re-implement container management (pull/push/etc.) in PRoot. We can use something like But I am curious how we would kill/query a running instance. As of now, we would use
The hooks seem interesting... perhaps if we have time, we could implement that using the Python extension for PRoot? Definitely not an essential feature though.
Yes, exactly. We might want to compile a list and then work through each to determine if it is essential. I want PRoot to be a small tool. The primary use-case is being able to re-use OCI-compatible container images in a convenient way. And since this is an extension, we should still be able to compile and use PRoot without it. |
|
Hi Lucas, 6th semester of my undergraduate program started yesterday, and we have a heavier curriculum and 2 course projects which are more demanding than I expected. I am afraid I will not be able to proceed with this proposal with college occupying lot of my time. I was parallely working on another proposal related to Dart project, and in the remaining time I will be trying my luck with that. I hope that wasn't impolite. English isn't my first language. |
|
No worries. Best of luck in your schooling and in GSoC! |
Project Title: Unprivileged containers with PRoot
Description:
OCI containers can be built and/or downloaded using img,
and then run as any user via PRoot. There is already a proof of concept in progress (See: proot-me/proot#204). However, it is very rough, and there are several open bugs that still need to be patched before this can be merged upstream. We will also need some tests built out for the test suite to ensure there are no regressions.
Deliverable:
A solution for running unprivileged OCI-compatible containers via PRoot.
Mentor: @oxr463
Skills: c, go, Linux, containers
Skill Level: Medium
Get started: See: proot-me/proot#204
The text was updated successfully, but these errors were encountered: