This message was deleted Rancher Users #general

Join Slack

This message was deleted.

# general

adamant-kite-43734

09/02/2022, 1:57 AM

This message was deleted.

creamy-pencil-82913

09/02/2022, 2:34 AM

The kubelet and containerd won't work without operating in privileged mode. It needs a bunch of capabilities and noone has bothered to figure out which ones specifically it needs because there's so many.

busy-easter-55684

09/02/2022, 2:51 AM

Thank you for your answer. How about rootless mode? Cause I run this docker in a special context, so I can't use privileged mode. But I saw issue that rootless k3s still need privileged mode, which really confuses me.

creamy-pencil-82913

09/02/2022, 4:02 AM

yeah, I’m not so sure about rootless. I would ask @best-accountant-68201; he’s the rootless expert.

best-accountant-68201

09/02/2022, 4:37 AM

rootless still needs

--privileged

for: • disabling seccomp to enable syscalls like

mount(2)

(equivalent of

--security-opt seccomp=unconfined

) • disabling apparmor to enable mounting, etc. (equivalent of

--security-opt apparmor=unconfined

) • disabling masks for

/proc

(equivalent of

--security-opt systemspaths=unconfined

/sys

• etc.

best-accountant-68201

09/02/2022, 4:38 AM

While the container is “privileged”, the processes inside there are not really privileged. They are as unprivileged as processes that are just running as a normal user on the host

busy-easter-55684

09/02/2022, 5:45 AM

1. Is there any chance that I can use something like --security-opt apparmor=unconfined or --cap-add SYS_ADMIN to avoid --privileged? 2. what do you mean there are not really privileged? I think the privileged container is a process run as a host root.

best-accountant-68201

09/02/2022, 5:48 AM

1. Theoretically yes, but the current --privileged of docker has something (can’t remember) that can’t be expressed with --security-opt 2. UID != 0

250 Views

Open in Slack

Previous Next