[Zun] Docker in rootless mode
Hello, I am working on a 2023.2 instance to install Zun. While we're still in the design phase, I was wondering if it is possible to run Docker as a non-root user together with Kata Containers for enhanced security. Has anyone tried this solution? Regards Francesco Di Nucci
Hi, Zun allows running privileged containers but I am not sure if Kata supports privileged flag. You might want to consult the Kata community about that. Best regards, Hongbin On Wed, Mar 13, 2024 at 4:41 PM Francesco Di Nucci < francesco.dinucci@na.infn.it> wrote:
Hello,
I am working on a 2023.2 instance to install Zun. While we're still in the design phase, I was wondering if it is possible to run Docker as a non-root user together with Kata Containers for enhanced security. Has anyone tried this solution?
Regards
Francesco Di Nucci
Thank you, although I'm in a different use-case, sorry for not being able to explain myself: Kata does support privileged containers (https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/pri...), but I don't want to use them. AFAIK Zun can use a stock Docker install with Kata Containers as an optional step (https://docs.openstack.org/zun/2023.2/install/compute-install.html#enable-ka...), but there is no mention of using Zun together with Docker rootless (https://docs.docker.com/engine/security/rootless/) or Zun + Docker Rootless + Kata Containers. Maybe I should start with an ordinary Docker install with Kata and then test if it is possible to switch to rootless? Best regards Francesco Di Nucci Il 13/03/2024 13:49, Hongbin Lu ha scritto:
Hi,
Zun allows running privileged containers but I am not sure if Kata supports privileged flag. You might want to consult the Kata community about that.
Best regards, Hongbin
On Wed, Mar 13, 2024 at 4:41 PM Francesco Di Nucci <francesco.dinucci@na.infn.it> wrote:
Hello,
I am working on a 2023.2 instance to install Zun. While we're still in the design phase, I was wondering if it is possible to run Docker as a non-root user together with Kata Containers for enhanced security. Has anyone tried this solution?
Regards
Francesco Di Nucci
Oh, I see. Thanks for the clarification. I didn't hear anyone installing Zun with Docker rootless. I scanned through the rootless document you shared and couldn't find anything that is a hard break. There is a limitation on some storage drivers so you might want to explicitly choose a supported storage driver on container creation. In addition, the document didn't mention any limitation about specific runtime like Kata so I guess Kata will work as long as Docker rootless works with Zun. You are welcome to give it a try and let us know. Best regards, Hongbin On Wed, Mar 13, 2024 at 10:26 PM Francesco Di Nucci < francesco.dinucci@na.infn.it> wrote:
Thank you,
although I'm in a different use-case, sorry for not being able to explain myself: Kata does support privileged containers ( https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/pri...), but I don't want to use them.
AFAIK Zun can use a stock Docker install with Kata Containers as an optional step ( https://docs.openstack.org/zun/2023.2/install/compute-install.html#enable-ka...), but there is no mention of using Zun together with Docker rootless ( https://docs.docker.com/engine/security/rootless/) or Zun + Docker Rootless + Kata Containers. Maybe I should start with an ordinary Docker install with Kata and then test if it is possible to switch to rootless?
Best regards
Francesco Di Nucci Il 13/03/2024 13:49, Hongbin Lu ha scritto:
Hi,
Zun allows running privileged containers but I am not sure if Kata supports privileged flag. You might want to consult the Kata community about that.
Best regards, Hongbin
On Wed, Mar 13, 2024 at 4:41 PM Francesco Di Nucci < francesco.dinucci@na.infn.it> wrote:
Hello,
I am working on a 2023.2 instance to install Zun. While we're still in the design phase, I was wondering if it is possible to run Docker as a non-root user together with Kata Containers for enhanced security. Has anyone tried this solution?
Regards
Francesco Di Nucci
Thank you, I'll try it when possible Best regards Francesco Di Nucci On 14/03/24 04:03, Hongbin Lu wrote:
Oh, I see. Thanks for the clarification.
I didn't hear anyone installing Zun with Docker rootless. I scanned through the rootless document you shared and couldn't find anything that is a hard break. There is a limitation on some storage drivers so you might want to explicitly choose a supported storage driver on container creation. In addition, the document didn't mention any limitation about specific runtime like Kata so I guess Kata will work as long as Docker rootless works with Zun.
You are welcome to give it a try and let us know.
Best regards, Hongbin
On Wed, Mar 13, 2024 at 10:26 PM Francesco Di Nucci <francesco.dinucci@na.infn.it> wrote:
Thank you,
although I'm in a different use-case, sorry for not being able to explain myself: Kata does support privileged containers (https://github.com/kata-containers/kata-containers/blob/main/docs/how-to/pri...), but I don't want to use them.
AFAIK Zun can use a stock Docker install with Kata Containers as an optional step (https://docs.openstack.org/zun/2023.2/install/compute-install.html#enable-ka...), but there is no mention of using Zun together with Docker rootless (https://docs.docker.com/engine/security/rootless/) or Zun + Docker Rootless + Kata Containers. Maybe I should start with an ordinary Docker install with Kata and then test if it is possible to switch to rootless?
Best regards
Francesco Di Nucci
Il 13/03/2024 13:49, Hongbin Lu ha scritto:
Hi,
Zun allows running privileged containers but I am not sure if Kata supports privileged flag. You might want to consult the Kata community about that.
Best regards, Hongbin
On Wed, Mar 13, 2024 at 4:41 PM Francesco Di Nucci <francesco.dinucci@na.infn.it> wrote:
Hello,
I am working on a 2023.2 instance to install Zun. While we're still in the design phase, I was wondering if it is possible to run Docker as a non-root user together with Kata Containers for enhanced security. Has anyone tried this solution?
Regards
Francesco Di Nucci
participants (2)
-
Francesco Di Nucci
-
Hongbin Lu