Being able to run the rootless containers may require sudo access in some OSs to enable unprivileged containers
support (Arch or Debian for example), as documented, for example, in the
buildah documentation
or in the usernetes documentation:
# Only for the current session
sudo sysctl kernel.unprivileged_userns_clone=1# Enable the permission permanently
echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf
sudo sysctl -pAs documented in the Docker docs,
the default security profile disables commands such as unshare, mount or sethostname inside containers
(which are needed for example to spawn containers inside bblfshd and also to give a Hostname to each
container to be an identified driver). Also, as documented in
libcontainer#1658,
there is a known bug with rootless containers inside another non-root container and the /proc mount / masking.
Adding a volume -v /proc:/newproc would solve that problem.
Therefore to run bblfshd in non privileged mode, this would suffice:
docker run --name bblfshd \
-p 9432:9432 \
-v /var/lib/bblfshd:/var/lib/bblfshd \
-v /proc:/newproc \
--security-opt seccomp=unconfined \
bblfshdA better (and recommended) confinement configuration, would be:
docker run --name bblfshd \
-p 9432:9432 \
-v /var/lib/bblfshd:/var/lib/bblfshd \
-v /proc:/newproc \
--security-opt seccomp=./bblfshd-seccomp.json \
bblfshd./bblfshd-seccomp.json file is a modification of
default.json from Docker which allows
the following syscalls inside bblfshd container: mount, unshare, pivot_root, keyctl, umount2, sethostname.
Running bblfshd in rootless mode, you may see, in bblfshd logs, warning messages such as:
level=warning msg="no such directory for freezer.state"
They do not have further repercussions and are due to the inability of a rootless container to manage cgroups
for containers created inside them.