runsc: allow rootless mode for runsc run

Rootless mode seems to work fine for simple containers with runsc run, so allow its use. Since runsc run is more widely used, require a workable --network option is passed rather than automatically switching like runsc do does. Fixes #3036
author: Michael Pratt <mpratt@google.com> 2021-09-14 16:20:25 -0400
committer: Michael Pratt <mpratt@google.com> 2021-09-14 16:20:25 -0400
commit: 5ab2bdf332ccedbc3eedc6e5f7c96f6adb2b80d4 (patch)
tree: 1d92190763c22fea7de73b3b03c8fc0375ba821d
parent: 226e7d32cb855e69b3bf7a28791a17235074e49a (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/runsc/cmd/run.go b/runsc/cmd/run.go
index 722181aff..da11c9d06 100644
--- a/runsc/cmd/run.go
+++ b/runsc/cmd/run.go
@@ -68,7 +68,14 @@ func (r *Run) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) s
 	waitStatus := args[1].(*unix.WaitStatus)
 
 	if conf.Rootless {
-		return Errorf("Rootless mode not supported with %q", r.Name())
+		if conf.Network == config.NetworkSandbox {
+			return Errorf("sandbox network isn't supported with --rootless, use --network=none or --network=host")
+		}
+
+		if err := specutils.MaybeRunAsRoot(); err != nil {
+			return Errorf("Error executing inside namespace: %v", err)
+		}
+		// Execution will continue here if no more capabilities are needed...
 	}
 
 	bundleDir := r.bundleDir
author	Michael Pratt <mpratt@google.com>	2021-09-14 16:20:25 -0400
committer	Michael Pratt <mpratt@google.com>	2021-09-14 16:20:25 -0400
commit	5ab2bdf332ccedbc3eedc6e5f7c96f6adb2b80d4 (patch)
tree	1d92190763c22fea7de73b3b03c8fc0375ba821d
parent	226e7d32cb855e69b3bf7a28791a17235074e49a (diff)