Skip to content

Commit

Permalink
about: remove blantly incorrect information about runc
Browse files Browse the repository at this point in the history
It appears this document was drafted some time before runc gained
support for rootless containers (though it was written after I had
authored my original patch-set). None of the information contained in
that section was correct. Luckily dfba702 ("adding fork me on
github, page on environment metadata, and making tons of changes for
2.3!") removed some of the more blatant misinformation about runc, but
this section remained.

The main issues with this section are:

1. It misunderstands fundamentally how rootless containers work, and
   misrepresents their properties. There are limitations of rootless
   containers, but Singularity gets around those limitations by using
   setuid binaries (which are no better than a privileged daemon in
   terms of security, though being daemon-less is a benefit
   in-of-itself).

2. It ignores the existence of tools like umoci[1], which allow for the
   creation of a rootfs without privileges. While it is a "chroot-style"
   rootfs, I'm not sure I understand why this is a concern for a user
   (and the text resorted to the statement "it requires root" which is
   incorrect).

3. Previous versions made claims about security that were blatantly
   false. The security of rootless containers are provided directly by
   the kernel, and runc also supports tools such as seccomp (which are
   known to protect against kernel 0-days). Singularity provides its
   security through its own setuid code.

[1]: https://github.com/openSUSE/umoci

Signed-off-by: Aleksa Sarai <[email protected]>
  • Loading branch information
cyphar committed Oct 2, 2017
1 parent e281211 commit e9715ee
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pages/info/about.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ Singularity does not utilize a daemon process to manage the containers. While da

Additionally, securing a root owned daemon process which is designed to manipulate the host's environment becomes tricky. In currently implemented models, it is possible to grant permissions to users to control the daemon, or not. There is no sense of ACL's or access of what users can and can not do.

While there are some other container implementations that do not leverage a daemon, they lack other features necessary to be considered as reasonable user facing solution without having root access. For example, there has been a standing unimplemented patch to RunC (already daemon-less) which allows for root-less usage (no root). But, user contexts are not maintained, and it will only work with chroot directories (instead of an image) where files must be owned and manipulated by the root user!
There are several container implementations that do not leverage a daemon. In addition, they do not require the installation of setuid binaries to operate. An example of this is the runc project which has merged a long-standing patch. In addition, runc is the de-facto implementation of the Open Container Initiative's runtime specification, making it compatible with a wide variety of other systems. With the use of tools such as umoci, a user can create a chroot enviornment without privileges, removing previous concerns about requiring root privileges to set up a container's rootfs.

## Use Cases

Expand Down

0 comments on commit e9715ee

Please sign in to comment.