site  contact  subhomenews

Planning run non-root in containers

September 12, 2022 — BarryK

I have been working on syncing Debian package management with the Puppy-format package management, for the past week. However, I had the nagging feeling that I'm going in the wrong direction...

Have now abandoned apt/dpkg sync'ing with the Puppy-format Package database and PKGget. It just isn't the way I want to go with EasyOS.

Yes, the Dunfell-series, built from packages compiled from scratch, does have a very small package repository. However, we can have a mechanism to import large packages, such as appimages, to SFS files, and thereby obtain a large repository.

So, I am going back to basics, revisiting Easy Containers. I ran the 'dir2sfs' utility to create an SFS of the latest Chrome web browser. Yes, works great on the main desktop, as user "chrome". However, in a container runs as "crippled root" and requires the "--no-sandbox" commandline option to run. Unfortunately, Chrome puts up a warning message that "--no-sandbox" is unsupported and may cause stability problems.

Chrome runs fine in a container, but that warning is going to alarm users. So what I want to do is be able to run Chrome as user "chrome" in a container. This is not so easy.

Back around 2018, when Easy Containers was young, I did consider being able to run apps as user "zeus"; however, never actually got that to work.

One thing that looks like being helpful is the Linux kernel "user namespace" support. That feature is currently disabled, so as I type this, the 5.15.67 kernel is compiling, with user-namespace ticked:

General setup > Namespaces support
[*] UTS namespace
[ ] TIME namespace
[*] IPC namespace
[*] User namespace
[*] PID Namespaces
[*] Network namespace

That's just one building-block toward implementing running non-root in containers.    

Tags: easy