diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2019-06-12 09:40:50 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2019-06-12 09:41:50 -0700 |
| commit | 356d1be140bb51f2a50d2c7fe24242cbfeedc9d6 (patch) | |
| tree | 3685e89ffdf701c2e9aebb19023cf0606ca8593b /tools | |
| parent | df110ad4fe571721a7eb4a5a1f9ce92584ef7809 (diff) | |
Allow 'runsc do' to run without root
'--rootless' flag lets a non-root user execute 'runsc do'.
The drawback is that the sandbox and gofer processes will
run as root inside a user namespace that is mapped to the
caller's user, intead of nobody. And network is defaulted
to '--network=host' inside the root network namespace. On
the bright side, it's very convenient for testing:
runsc --rootless do ls
runsc --rootless do curl www.google.com
PiperOrigin-RevId: 252840970
Diffstat (limited to 'tools')
| -rwxr-xr-x | tools/run_tests.sh | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/tools/run_tests.sh b/tools/run_tests.sh index 8874794fd..7a1f889dd 100755 --- a/tools/run_tests.sh +++ b/tools/run_tests.sh @@ -212,8 +212,8 @@ run_runsc_do_tests() { local runsc=$(find bazel-bin/runsc -type f -executable -name "runsc" | head -n1) # run runsc do without root privileges. - unshare -Ur ${runsc} --network=none --TESTONLY-unsafe-nonroot do true - unshare -Ur ${runsc} --TESTONLY-unsafe-nonroot --network=host do --netns=false true + ${runsc} --rootless do true + ${runsc} --rootless --network=none do true # run runsc do with root privileges. sudo -n -E ${runsc} do true |