*** igordc has quit IRC | 00:45 | |
*** sameo has joined #kata-general | 06:32 | |
*** sgarzare has joined #kata-general | 06:58 | |
*** gwhaley has joined #kata-general | 08:03 | |
*** sameo has quit IRC | 10:05 | |
*** irclogbot_2 has quit IRC | 11:53 | |
*** irclogbot_2 has joined #kata-general | 11:54 | |
*** sameo has joined #kata-general | 12:01 | |
*** sameo has quit IRC | 13:07 | |
*** sameo has joined #kata-general | 13:42 | |
*** sameo has quit IRC | 14:02 | |
*** sameo has joined #kata-general | 15:13 | |
*** sgarzare has quit IRC | 16:18 | |
*** sameo has quit IRC | 16:47 | |
*** gwhaley has quit IRC | 17:02 | |
*** igordc has joined #kata-general | 17:34 | |
*** igordc has quit IRC | 17:36 | |
*** igordc has joined #kata-general | 17:36 | |
*** igordc has quit IRC | 19:37 | |
*** igordc has joined #kata-general | 20:10 | |
kata-irc-bot | <vltraheaven> Hello, in addition to the previous question I had about user-namespace support with kata-containers, I had another question. From the explanations provided in documentation surrounding kata-containers, the kata-runtime produces a qemu VM with 1 processor and 2048 GB of ram by default, then creates a container (with I am assuming is RunV or a RunV like container runtime) within the resulting virtual machine. Since I’m a fan of | 21:28 |
---|---|---|
kata-irc-bot | defense in depth, I think it would be nice to have a more granulized control of the conditions within the VM itself to do things like assign user-namespaces or use a sand boxing runtime within the VM like GVisor. It seems like Minikube functions exactly like this, giving the ability to create a VM, link a local Docker Daemon to the vm and use alternate runtimes within the VM itself. I haven’t found documentation on how to achieve this with | 21:28 |
kata-irc-bot | Kata yet, though. Is this functionality present and, if not, is this something that the developers are considering? | 21:28 |
kata-irc-bot | <vltraheaven> For the original question, I have noticed in the configuration.toml file there being a field to pass kernel parameters. I’ll test passing the ‘kernel.unprivileged_userns_clone=1’ kernel Param to the runtime but from what I’ve deducted this will only enable usernamespaces in the vm’s kernel, but would not cover creating the unprivileged user, mapping the uid and gid and writing the necessary /etc/uid|gid files to the VM. | 21:39 |
kata-irc-bot | there isn’t a direct answer, dropping a clue or a supposition would help me to find the answer on my own. Thanks again! | 21:39 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!