umoci has first class support for rootless containers, and in particular it supports rootless unpacking. This means that an unprivileged user can unpack and repack an image (which is not traditionally possible for most images), as well as generate a runtime configuration that can be used by runc to start a rootless container.
It should noted that the root filesystem created as an unprivileged user will
likely not match the root filesystem that a privileged user would create. The
reason for this is that there are a set of security restrictions imposed by the
operating system that stop us from creating certain device inodes and set-uid
binaries. umoci will do its best to try to emulate the correct behaviour, and
the runtime configuration generated will further try to emulate the correct
behaviour. umoci also supports the user.rootlesscontainers
specification,
which allows for further emulation of things like chown(2)
inside rootless
containers using tools like PRoot
.
% id -u
1000
% umoci unpack --rootless --image opensuse:42.2 bundle
• rootless{usr/bin/ping} ignoring (usually) harmless EPERM on setxattr "security.capability"
• rootless{usr/bin/ping6} ignoring (usually) harmless EPERM on setxattr "security.capability"
% runc run -b bundle rootless-ctr
bash-4.3# whoami
root
bash-4.3# tee /hostname </proc/sys/kernel/hostname
mrsdalloway
% umoci repack --image opensuse:new bundle
The above warnings can be safely ignored, they are caused by umoci not having sufficient privileges in this context. They are output purely to ensure that users are aware that the root filesystem they get might not be precisely the same as the one they’d get if they extracted it as a privileged user.