Can you provide example for creation of non root container?

Question

Can you provide example for creation of non root container?

s3rj1k opened this issue 7 years ago · 6 comments

s3rj1k commented 7 years ago

Answer 1 · 2018-05-04T14:15:59.000Z

For/by non root user?

user should be in group porto

sudo addgroup porto
sudo adduser $USER porto
sudo portod reload

user@host $ portoctl exec test command=bash
id
^D

Answer 2 · 2018-05-04T15:02:07.000Z

That help a bit, but does not solve my issue.

what I am doing:

creating ct:

portoctl create bionic

preparing permanent storage:

portoctl storage -I bionic ~/bionic.tar.gz

creating volume for ct:

mkdir /place/porto_volumes/bionic
portoctl vcreate /place/porto_volumes/bionic backend=native storage=/place/porto_storage/bionic space_limit=512M user=user group=user owner_container=bionic

setting options:

portoctl set bionic hostname bionic
portoctl set bionic memory_limit 1G
portoctl set bionic cpu_limit 2c
portoctl set bionic net macvlan enp6s0f0 eth0
portoctl set bionic enable_porto false

starting ct:

portoctl start bionic

acquire shell inside ct:

portoctl shell bionic

what do I expect to see:

fully isolated system container from host node, just like openvz/lxc

what do I actually see:

full access to host node from inside of ct

Am I doing something wrong or this is expected behaviour?

Answer 3 · 2018-05-05T07:43:41.000Z

you need virt_mode=os
by default containers are app containers and since you didn't set command it works as "meta" container without payload.

All this could be done in one command:

portoctl run test virt_mode=os hostname=xxx memory_limit=1G net="macvlan ..." backend=native storage=bionic space_limit=512M

storages in porto_storage referred as simple name - without /

commands run and exec takes also volume properties and automatically setup root volume then

Answer 4 · 2018-05-05T08:25:47.000Z

for openvz-like container with persistent storage it's better to use meta-storage
it's quota is persistent, not recalculated at volume creation:

portoctl storage -M -Q 1G bionic
portoctl storate -I bionic/rootfs bionic.tgz
portoctl run test virt_mode=os backend=plain storage=bionic/rootfs

this way quota belongs to meta storage rather than volume

Answer 5 · 2018-05-05T09:17:05.000Z

ok, doing now like this:

running inside limited hostnode account:

uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare),1001(porto)

creating meta storage and running CT in single line:

portoctl storage -M -Q 1G bionic
portoctl storage -I bionic/rootfs ~/bionic.tar.gz
portoctl run bionic virt_mode=os hostname=bionic memory_limit=1G cpu_limit=2c net='macvlan enp6s0f0 eth0' enable_porto=false resolv_conf=keep backend=plain storage=bionic/rootfs

now I am trying to get shell inside CT:

portoctl shell -uroot -groot bionic

This workflow works as expected.

And I still do not understand why i get different results if configure CT line by line, like:

portoctl create
portoctl storage
portoctl vlink
portoctl set

Can you provide example how to do this line by line properly for meta storage?
this would actually help to understand how porto works and benefit other users as well, could be put in docs, thanks.

Answer 6 · 2018-05-05T15:41:19.000Z

I suppose some properties are different - you could compare output of portoctl get $CT