Runtime environments allowing to run as root could provide more capabilities to the containers
Opened this issue · 2 comments
Is your feature request related to a problem? Please describe.
Kata runtime could give more priviledge to the root user in the Docker container. Running IPMininet in a Docker container requires the ability of manipulating network namespaces.
Describe the solution you'd like
When the runtime allows to run as root, pass --cap_add=ALL to the container. Do this here,
Describe alternatives you've considered
Changing the use of Kata+Docker for virtme or smth else
If this create_container function gets passed the run_as_root argument in some form, then it would be able to add the capabilities just for these runtime environments.
There is an issue with --privileged in Kata v1 which has not been fixed for Docker. Mainly, the host tries to mount devices into the VM and the container, which I don't need but which prevents starting the container. --privileged is required to modify sysctls, which are used by IPMininet. It seems that keeping Kata v1 does not allow to move forward on this issue.