The amount of root stuff required for Docker strikes me as a terrible antipattern. It’s really gross, and it just makes me even less likely to want to engage with Docker at all.
But also looks quite different to me. Indeed she explicitly says:
“Granted mounting is not a requirement of building docker images. You can always go the route of orca-build and umoci and not mount at all. umoci is also an unprivileged image builder and was made long before I even made mine by the talented Aleksa Sarai who is also responsible for a lot of the rootless containers work upstream in runc.”
This pursues that approach, and is concerned with raw builds rather than k8s.
Cool. I wasn’t aware of PRoot, rootless and the rootless-container project in general.
Since there is no mention of fakeroot and fakechroot, do you know how this compares?
fake{root,chroot} is based on an LD_PRELOAD-like syscall interception. It has the advantage of not depending on the kernels namespace implementation, but the disadvantage of having a performance penalty.
Thank you for your response, I see. So it’s not possible to run it inside a cointainer then? fakeroot with ldpreload is a pain, you basically can’t debootstrap Jessie on Stretch because of this.
I thought one of them did LD_PRELOAD interception, which was fast enough that you don’t notice the performance penalty, but doesn’t work for things (e.g. Go binaries?) that make syscalls directly rather than going through libc’s wrappers. and the other did ptrace() interception, which works on everything, but makes syscalls much slower (though compilers spend a large proportion of their time doing things which aren’t syscalls, so it’s like a 20% perf hit for random C programs last time I tried).
The amount of
rootstuff required for Docker strikes me as a terrible antipattern. It’s really gross, and it just makes me even less likely to want to engage with Docker at all.Same PoC from Jessie Frazelle: https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/
That looks very useful and I wasn’t aware of it.
But also looks quite different to me. Indeed she explicitly says:
“Granted mounting is not a requirement of building docker images. You can always go the route of orca-build and umoci and not mount at all. umoci is also an unprivileged image builder and was made long before I even made mine by the talented Aleksa Sarai who is also responsible for a lot of the rootless containers work upstream in runc.”
This pursues that approach, and is concerned with raw builds rather than k8s.
^and is^and the OP is^
FWIW you may edit your comments on this site, it’s much nicer than Twitter. ;)
edit: oh, there’s a time limit.
Cool. I wasn’t aware of PRoot, rootless and the rootless-container project in general. Since there is no mention of fakeroot and fakechroot, do you know how this compares?
fake{root,chroot} is based on an LD_PRELOAD-like syscall interception. It has the advantage of not depending on the kernels namespace implementation, but the disadvantage of having a performance penalty.
proot is an frontend for linux namespaces.
Thank you for your response, I see. So it’s not possible to run it inside a cointainer then? fakeroot with ldpreload is a pain, you basically can’t debootstrap Jessie on Stretch because of this.
I thought one of them did LD_PRELOAD interception, which was fast enough that you don’t notice the performance penalty, but doesn’t work for things (e.g. Go binaries?) that make syscalls directly rather than going through libc’s wrappers. and the other did ptrace() interception, which works on everything, but makes syscalls much slower (though compilers spend a large proportion of their time doing things which aren’t syscalls, so it’s like a 20% perf hit for random C programs last time I tried).
Both are using LD_PRELOAD. What you are thinking of is fakeroot-ng(1), which is ptrace(2)-based.
Thank you.