currently checking if it is possible to start runc containers inside a strict snap.
From interfaces I don’t see one - because the docker and lxc interfaces just support the communication to docker or lxd sockets which basically means that commands are forwarded to the daemons which running outside a snap.
If i put a rootfs to $SNAP_COMMON and start the snap with “snap run --shell” command and enter "runc run con1 -b “SNAP_COMMON/con1” i get the error : ERRO[0000] chown /run/user/1000/snap.docker/runc/con1: operation not permitted
Is there a snap interface i could use to get permission to start runc containers?
Docker uses runc under the hood, so with docker-support interface in your snap (and connected), you ought to be able to start containers. I suggest starting with --devmode to see if there’s anything missing.
thanks for quick reply but doesnt “docker-support” simple mount the sockets into the snap and requires a dockerd outside? i will give it a try just curious - documentation says just tells about the sockets.
There are two separate docker related interfaces, docker which simply allows using the docker socket and is intended for apps/clients trying to talk to dockerd over the socket, and docker-support, which is what dockerd itself uses to have permission to operate as the dockerd daemon which creates containers, etc.
Got your point! thanks - i was seeing that one reason didnt work before was that the container OCI rootfs was part of the snap (was bad idea) - after setting the interface docker-support and placing the OCI rootfs in $HOME/snap/{name}/common i at least getting a different error. The container i try to start was setup with runc spec --rootless + a debian based container rootfs.
currently what i am facing :
FATA[0000] nsexec-0[24219]: failed to write ‘deny’ to /proc/24221/setgroups: Permission denied
FATA[0000] nsexec-1[24221]: failed to sync with parent: read(SYNC_USERMAP_ACK): Success
WARN[0000] unable to get oom kill count error=“no directory specified for memory.oom_control”
ERRO[0000] container_linux.go:380: starting container process caused: process_linux.go:402: getting the final child’s pid from pipe caused: EOF
I suggest installing the snap with --devmode first. Next, there’s clearly some assumptions in the docker-support interface that don’t quite fit what you’re trying to do.
Say this path, /sys/fs/cgroup/cpu,cpuacct/user.slice/c1/ I understand that user.slice is here because it’s a rootless container. I’m not quite sure about c1. From looking at the interface, there are patterns like this: /sys/fs/cgroup/*/docker/, so maybe c1 is just a sub group in your case too? There’s a comment that mentions plugins.cri_systemd_cgroup=true, maybe that’s related to runc as well? But it also lists paths like /sys/fs/cgroup/*/systemd/system.slice/**, expecting the groups to be located under system.slice, which would not be true for rootless.
just curious - documentation says just tells about the sockets.