added support for rootless mode (userns + systemd cgroupsv2 delegation)#345
added support for rootless mode (userns + systemd cgroupsv2 delegation)#345m0mosenpai wants to merge 18 commits intoopen-lambda:mainfrom
Conversation
fixed clean up code, graceful fallback in case of no cgroup delegation
go/worker/helpers.go
Outdated
| return fmt.Errorf("failed to chmod base dir: %v", err) | ||
| } | ||
|
|
||
| // For rootless mode: if run with sudo, give olPath and worker dir to actual user |
There was a problem hiding this comment.
I'm a little confused, why would somebody want rootless and then use sudo? Why is that a scenario we have to support instead of just doing the simplest thing possible (e.g., returning an error)?
There was a problem hiding this comment.
@tylerharter I fixed the permissions above (reverted them back to 700s so the files are not visible to everyone else). But the base directory is created with 700 permission and since we sudo ./ol worker init, ./ol worker up doesn't work without root.
This changes was meant to give the ownership to the real user so ./ol worker up can work without issues. I'm not sure if there's a better way to get around this.
| }, | ||
| } | ||
| if rootless { | ||
| attr.Sys = &syscall.SysProcAttr{ |
There was a problem hiding this comment.
This code is the crux of what you're doing. I think it needs some more commenting. E.g., will it be obvious to people that "0" is the ID for root? Also need to explain what a user namespace is, and why that lets us run rootless.
| return "/sys/fs/cgroup" | ||
| } | ||
|
|
||
| panic(fmt.Errorf("systemd user cgroup delegation not available - cannot run rootless")) |
There was a problem hiding this comment.
I think instead of trying to integrate with systemd directly, I think it is more flexible if we let users configure the root cgroup to use. We can provide instructions for users to run "systemctl show --user --property=ControlGroup" and find this location and configure their OL accordingly.
Testing: