Oh, I see. Thanks for the clarification.

I didn't hear anyone installing Zun with Docker rootless. I scanned through the rootless document you shared and couldn't find anything that is a hard break. There is a limitation on some storage drivers so you might want to explicitly choose a supported storage driver on container creation. In addition, the document didn't mention any limitation about specific runtime like Kata so I guess Kata will work as long as Docker rootless works with Zun.

You are welcome to give it a try and let us know.

Best regards,

Hongbin

On Wed, Mar 13, 2024 at 10:26 PM Francesco Di Nucci <francesco.dinucci@na.infn.it> wrote:

Thank you,

although I'm in a different use-case, sorry for not being able to explain myself: Kata does support privileged containers (https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/privileged.md), but I don't want to use them.

AFAIK Zun can use a stock Docker install with Kata Containers as an optional step (https://docs.openstack.org/zun/2023.2/install/compute-install.html#enable-kata-containers-optional), but there is no mention of using Zun together with Docker rootless (https://docs.docker.com/engine/security/rootless/) or Zun + Docker Rootless + Kata Containers. Maybe I should start with an ordinary Docker install with Kata and then test if it is possible to switch to rootless?

Best regards

Francesco Di Nucci

Il 13/03/2024 13:49, Hongbin Lu ha scritto:

Hi,

Zun allows running privileged containers but I am not sure if Kata supports privileged flag. You might want to consult the Kata community about that.

Best regards,

Hongbin

On Wed, Mar 13, 2024 at 4:41 PM Francesco Di Nucci <francesco.dinucci@na.infn.it> wrote:

Hello,

I am working on a 2023.2 instance to install Zun. While we're still in
the design phase, I was wondering if it is possible to run Docker as a
non-root user together with Kata Containers for enhanced security. Has
anyone tried this solution?

Regards

Francesco Di Nucci