How to start container as non-root with entrypoint /sbin/init

[imperialguy]

I have an image that I configured with:

• default user that is non-root; and
• default entrypoint as /sbin/init

If I run it as it is and login to the container, I notice that systemd is not running:

[testuser@5163c8e21086 /]$ systemctl
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

Is there a way to start a container as non-root but also kick-off the systemd process?

Currently the only way to do that is by leaving the default user as root or explicitly starting a non-root container as root, for e.g. like this:

podman run -d --name my_container --user root my_image:my_tag

Basically, I want to set the default container user as non-root, but I also want the container to start in systemd mode. Any ideas/suggestions would be greatly appreciated.

The alternative I am thinking about is to install sudo inside container and give the rootless user restrictive permissions to run systemd.

[imperialguy]

Any ideas on this one?

[rhatdan]

I don't think this can be done. Default user tells the OCI containers to run the PID 1 as that user. So you are attempting to run systemd as non root.

[mheon]

Concur.

Usually I find it's sufficient to run systemd as root in the container, but all of the services systemd manages as non-root users (using the standard systemd infrastructure, setting users in the unit files).

[imperialguy]

I see. Okay, so I have a certain requirement where I need systemd to be running inside my containers.

Tbh, I don't really have any problem running my containers in rootless (outside) + root (inside) mode.

But it looks like openshift has a stringent requirement to run containers in rootless (inside) mode by default in order to certify the underlying container images -- it uses preflight for certification purposes.

Now that we've established that there's no way for rootless (inside) containers to kick-off systemd as PID 1, and since podman is kinda the official container engine (as opposed to docker) for Red Hat, shouldn't openshift be allowing the certification of OCI container images, that were built (say) using buildah, and intended to be run in rootless (outside) + root (inside) mode?

This may be a question for the openshift team, but wondering perhaps if your team can weigh in on this one as well.

[imperialguy]

@mheon

My intention is not exactly to run systemd itself as rootless. I am wondering if there's a way to start the container in rootless (inside) along with systemd as PID 1. systemd can still be under root control. So, it's like this --> root starts systemd PID 1, but the default user is still a rootless user. From @rhatdan comment, it seems like this may not be possible, unless there's some sneaky way to do it that I may not be seeing here.

[rhatdan]

There is work going on in OpenShift to support User Namespace which would allow you to run as systemd inside of your container as root within the user namespace. But it would not be root on the host.

@giuseppe Care to comment?

[giuseppe]

Openshift and CRI-O already supports user namespaces using custom annotations: cri-o/cri-o#3944

There is work to add support for user namespaces upstream in Kubernetes: kubernetes/kubernetes#111090

With CRI-O, you can just specify a pod with the following annotation to create a user namespace:

annotations:
    io.kubernetes.cri-o.userns-mode: "auto"

but make sure you first enable the annotation to be used, you'll need something like the following in crio.conf`:

crio_runtimes:
  - name: runc
    path: /usr/bin/runc
    type: oci
    root: /run/runc
    allowed_annotations:
    - "io.kubernetes.cri-o.userns-mode"