1package specconv 2 3import ( 4 "strings" 5 6 "github.com/opencontainers/runtime-spec/specs-go" 7) 8 9// ToRootless converts spec to be compatible with "rootless" runc. 10// * Remove /sys mount 11// * Remove cgroups 12// 13// See docs/rootless.md for the supported runc revision. 14func ToRootless(spec *specs.Spec) error { 15 // Remove /sys mount because we can't mount /sys when the daemon netns 16 // is not unshared from the host. 17 // 18 // Instead, we could bind-mount /sys from the host, however, `rbind, ro` 19 // does not make /sys/fs/cgroup read-only (and we can't bind-mount /sys 20 // without rbind) 21 // 22 // PR for making /sys/fs/cgroup read-only is proposed, but it is very 23 // complicated: https://github.com/opencontainers/runc/pull/1869 24 // 25 // For buildkit usecase, we suppose we don't need to provide /sys to 26 // containers and remove /sys mount as a workaround. 27 var mounts []specs.Mount 28 for _, mount := range spec.Mounts { 29 if strings.HasPrefix(mount.Destination, "/sys") { 30 continue 31 } 32 mounts = append(mounts, mount) 33 } 34 spec.Mounts = mounts 35 36 // Remove cgroups so as to avoid `container_linux.go:337: starting container process caused "process_linux.go:280: applying cgroup configuration for process caused \"mkdir /sys/fs/cgroup/cpuset/buildkit: permission denied\""` 37 spec.Linux.Resources = nil 38 spec.Linux.CgroupsPath = "" 39 return nil 40} 41