From 5ab2bdf332ccedbc3eedc6e5f7c96f6adb2b80d4 Mon Sep 17 00:00:00 2001 From: Michael Pratt Date: Tue, 14 Sep 2021 16:20:25 -0400 Subject: runsc: allow rootless mode for runsc run Rootless mode seems to work fine for simple containers with runsc run, so allow its use. Since runsc run is more widely used, require a workable --network option is passed rather than automatically switching like runsc do does. Fixes #3036 --- runsc/cmd/run.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'runsc/cmd/run.go') diff --git a/runsc/cmd/run.go b/runsc/cmd/run.go index 722181aff..da11c9d06 100644 --- a/runsc/cmd/run.go +++ b/runsc/cmd/run.go @@ -68,7 +68,14 @@ func (r *Run) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) s waitStatus := args[1].(*unix.WaitStatus) if conf.Rootless { - return Errorf("Rootless mode not supported with %q", r.Name()) + if conf.Network == config.NetworkSandbox { + return Errorf("sandbox network isn't supported with --rootless, use --network=none or --network=host") + } + + if err := specutils.MaybeRunAsRoot(); err != nil { + return Errorf("Error executing inside namespace: %v", err) + } + // Execution will continue here if no more capabilities are needed... } bundleDir := r.bundleDir -- cgit v1.2.3