From 356d1be140bb51f2a50d2c7fe24242cbfeedc9d6 Mon Sep 17 00:00:00 2001
From: Fabricio Voznika <fvoznika@google.com>
Date: Wed, 12 Jun 2019 09:40:50 -0700
Subject: Allow 'runsc do' to run without root

'--rootless' flag lets a non-root user execute 'runsc do'.
The drawback is that the sandbox and gofer processes will
run as root inside a user namespace that is mapped to the
caller's user, intead of nobody. And network is defaulted
to '--network=host' inside the root network namespace. On
the bright side, it's very convenient for testing:

runsc --rootless do ls
runsc --rootless do curl www.google.com

PiperOrigin-RevId: 252840970
---
 tools/run_tests.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'tools')

diff --git a/tools/run_tests.sh b/tools/run_tests.sh
index 8874794fd..7a1f889dd 100755
--- a/tools/run_tests.sh
+++ b/tools/run_tests.sh
@@ -212,8 +212,8 @@ run_runsc_do_tests() {
   local runsc=$(find bazel-bin/runsc -type f -executable -name "runsc" | head -n1)
 
   # run runsc do without root privileges.
-  unshare -Ur ${runsc} --network=none --TESTONLY-unsafe-nonroot do true
-  unshare -Ur ${runsc} --TESTONLY-unsafe-nonroot --network=host do --netns=false true
+  ${runsc} --rootless do true
+  ${runsc} --rootless --network=none do true
 
   # run runsc do with root privileges.
   sudo -n -E ${runsc} do true
-- 
cgit v1.2.3