Allow 'runsc do' to run without root

'--rootless' flag lets a non-root user execute 'runsc do'. The drawback is that the sandbox and gofer processes will run as root inside a user namespace that is mapped to the caller's user, intead of nobody. And network is defaulted to '--network=host' inside the root network namespace. On the bright side, it's very convenient for testing: runsc --rootless do ls runsc --rootless do curl www.google.com PiperOrigin-RevId: 252840970
author: Fabricio Voznika <fvoznika@google.com> 2019-06-12 09:40:50 -0700
committer: Shentubot <shentubot@google.com> 2019-06-12 09:41:50 -0700
commit: 356d1be140bb51f2a50d2c7fe24242cbfeedc9d6 (patch)
tree: 3685e89ffdf701c2e9aebb19023cf0606ca8593b /runsc/container
parent: df110ad4fe571721a7eb4a5a1f9ce92584ef7809 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/runsc/container/container_test.go b/runsc/container/container_test.go
index 72c5ecbb0..867bf8187 100644
--- a/runsc/container/container_test.go
+++ b/runsc/container/container_test.go
@@ -36,6 +36,7 @@ import (
 	"gvisor.googlesource.com/gvisor/pkg/sentry/control"
 	"gvisor.googlesource.com/gvisor/pkg/sentry/kernel/auth"
 	"gvisor.googlesource.com/gvisor/runsc/boot"
+	"gvisor.googlesource.com/gvisor/runsc/specutils"
 	"gvisor.googlesource.com/gvisor/runsc/test/testutil"
 )
 
@@ -1853,7 +1854,7 @@ func TestMain(m *testing.M) {
 	if err := testutil.ConfigureExePath(); err != nil {
 		panic(err.Error())
 	}
-	testutil.RunAsRoot()
+	specutils.MaybeRunAsRoot()
 
 	os.Exit(m.Run())
 }
author	Fabricio Voznika <fvoznika@google.com>	2019-06-12 09:40:50 -0700
committer	Shentubot <shentubot@google.com>	2019-06-12 09:41:50 -0700
commit	356d1be140bb51f2a50d2c7fe24242cbfeedc9d6 (patch)
tree	3685e89ffdf701c2e9aebb19023cf0606ca8593b /runsc/container
parent	df110ad4fe571721a7eb4a5a1f9ce92584ef7809 (diff)