|
2 | 2 |
|
3 | 3 | RootlessKit is a Linux-native implementation of "fake root" using [`user_namespaces(7)`](http://man7.org/linux/man-pages/man7/user_namespaces.7.html). |
4 | 4 |
|
5 | | -The purpose of RootlessKit is to run [Docker and Kubernetes as an unprivileged user (known as "Rootless mode")](https://github.com/rootless-containers/usernetes), so as to protect the real root on the host from potential container-breakout attacks. |
| 5 | +The purpose of RootlessKit is to run [Docker](https://rootlesscontaine.rs/getting-started/docker/) and [Kubernetes](https://rootlesscontaine.rs/getting-started/kubernetes/) as an unprivileged user (known as "Rootless mode"), so as to protect the real root on the host from potential container-breakout attacks. |
6 | 6 |
|
7 | 7 | <!-- START doctoc generated TOC please keep comment here to allow auto update --> |
8 | 8 | <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> |
@@ -92,14 +92,14 @@ See also https://rootlesscontaine.rs/getting-started/common/subuid/ |
92 | 92 |
|
93 | 93 | ### sysctl |
94 | 94 |
|
95 | | -Some distros require setting up sysctl: |
| 95 | +Old distros may require setting up sysctl such as `kernel.unprivileged_userns_clone=1`: |
| 96 | +See <https://rootlesscontaine.rs/getting-started/common/sysctl/>. |
96 | 97 |
|
97 | | -- Debian (excluding Ubuntu) and Arch: `sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"` |
98 | | -- RHEL/CentOS 7 (excluding RHEL/CentOS 8): `sudo sh -c "echo 28633 > /proc/sys/user/max_user_namespaces"` |
| 98 | +### AppArmor |
99 | 99 |
|
100 | | -To persist sysctl configurations, edit `/etc/sysctl.conf` or add a file under `/etc/sysctl.d`. |
101 | | - |
102 | | -See also https://rootlesscontaine.rs/getting-started/common/sysctl/ |
| 100 | +On Ubuntu 24.04 or later, the `rootlesskit` binary is expected to be exactly under `/usr/bin`. |
| 101 | +To install `rootlesskit` on other paths such as `/usr/local/bin`, you need to install a custom AppArmor profile. |
| 102 | +See <https://rootlesscontaine.rs/getting-started/common/apparmor/>. |
103 | 103 |
|
104 | 104 | ## Usage |
105 | 105 |
|
@@ -154,7 +154,7 @@ USAGE: |
154 | 154 | rootlesskit [global options] [arguments...] |
155 | 155 |
|
156 | 156 | VERSION: |
157 | | - 2.0.0-alpha.0 |
| 157 | + 3.0.0-rc.0 |
158 | 158 |
|
159 | 159 | DESCRIPTION: |
160 | 160 | RootlessKit is a Linux-native implementation of "fake root" using user_namespaces(7). |
@@ -186,50 +186,51 @@ OPTIONS: |
186 | 186 | |
187 | 187 | Mount: |
188 | 188 | --copy-up value [ --copy-up value ] mount a filesystem and copy-up the contents. e.g. "--copy-up=/etc" (typically required for non-host network) |
189 | | - --copy-up-mode value copy-up mode [tmpfs+symlink] |
190 | | - --propagation value mount propagation [rprivate, rslave] |
| 189 | + --copy-up-mode value copy-up mode [tmpfs+symlink] (default: "tmpfs+symlink") |
| 190 | + --propagation value mount propagation [rprivate, rslave] (default: "rprivate") |
191 | 191 | |
192 | 192 | Network: |
193 | | - --net value network driver [host, pasta(experimental), slirp4netns, vpnkit, lxc-user-nic(experimental)] |
| 193 | + --net value network driver [host, none, pasta(experimental), slirp4netns, vpnkit, lxc-user-nic(experimental), gvisor-tap-vsock(experimental)] (default: "host") |
194 | 194 | --mtu value MTU for non-host network (default: 65520 for pasta and slirp4netns, 1500 for others) (default: 0) |
195 | | - --cidr value CIDR for pasta and slirp4netns networks (default: 10.0.2.0/24) |
| 195 | + --cidr value CIDR for pasta, slirp4netns and gvisor-tap-vsock networks (default: 10.0.2.0/24) |
196 | 196 | --ifname value Network interface name (default: tap0 for pasta, slirp4netns, and vpnkit; eth0 for lxc-user-nic) |
197 | 197 | --disable-host-loopback prohibit connecting to 127.0.0.1:* on the host namespace (default: false) |
198 | 198 | --ipv6 enable IPv6 routing. Unrelated to port forwarding. Only supported for pasta and slirp4netns. (experimental) (default: false) |
199 | 199 | --detach-netns detach network namespaces (default: false) |
200 | 200 | |
201 | 201 | Network [lxc-user-nic]: |
202 | 202 | --lxc-user-nic-binary value path of lxc-user-nic binary for --net=lxc-user-nic |
203 | | - --lxc-user-nic-bridge value lxc-user-nic bridge name |
| 203 | + --lxc-user-nic-bridge value lxc-user-nic bridge name (default: "lxcbr0") |
204 | 204 | |
205 | 205 | Network [pasta]: |
206 | | - --pasta-binary value path of pasta binary for --net=pasta |
| 206 | + --pasta-binary value path of pasta binary for --net=pasta (default: "pasta") |
207 | 207 | |
208 | 208 | Network [slirp4netns]: |
209 | | - --slirp4netns-binary value path of slirp4netns binary for --net=slirp4netns |
210 | | - --slirp4netns-sandbox value enable slirp4netns sandbox (experimental) [auto, true, false] (the default is planned to be "auto" in future) |
211 | | - --slirp4netns-seccomp value enable slirp4netns seccomp (experimental) [auto, true, false] (the default is planned to be "auto" in future) |
| 209 | + --slirp4netns-binary value path of slirp4netns binary for --net=slirp4netns (default: "slirp4netns") |
| 210 | + --slirp4netns-sandbox value enable slirp4netns sandbox (experimental) [auto, true, false] (the default is planned to be "auto" in future) (default: "false") |
| 211 | + --slirp4netns-seccomp value enable slirp4netns seccomp (experimental) [auto, true, false] (the default is planned to be "auto" in future) (default: "false") |
212 | 212 | |
213 | 213 | Network [vpnkit]: |
214 | | - --vpnkit-binary value path of VPNKit binary for --net=vpnkit |
| 214 | + --vpnkit-binary value path of VPNKit binary for --net=vpnkit (default: "vpnkit") |
215 | 215 | |
216 | 216 | Port: |
217 | | - --port-driver value port driver for non-host network. [none, implicit (for pasta), builtin, slirp4netns] |
| 217 | + --port-driver value port driver for non-host network. [none, implicit (for pasta), builtin, slirp4netns, gvisor-tap-vsock(experimental)] (default: "none") |
218 | 218 | --publish value, -p value [ --publish value, -p value ] publish ports. e.g. "127.0.0.1:8080:80/tcp" |
| 219 | + --source-ip-transparent preserve real client source IP using IP_TRANSPARENT (builtin port driver) (default: true) |
219 | 220 | |
220 | 221 | Process: |
221 | 222 | --pidns create a PID namespace (default: false) |
222 | 223 | --cgroupns create a cgroup namespace (default: false) |
223 | 224 | --utsns create a UTS namespace (default: false) |
224 | 225 | --ipcns create an IPC namespace (default: false) |
225 | | - --reaper value enable process reaper. Requires --pidns. [auto,true,false] |
| 226 | + --reaper value enable process reaper. Requires --pidns. [auto,true,false] (default: "auto") |
226 | 227 | --evacuate-cgroup2 value evacuate processes into the specified subgroup. Requires --pidns and --cgroupns |
227 | 228 | |
228 | 229 | State: |
229 | 230 | --state-dir value state directory |
230 | 231 | |
231 | 232 | SubID: |
232 | | - --subid-source value the source of the subids. "dynamic" executes /usr/bin/getsubids. "static" reads /etc/{subuid,subgid}. [auto,dynamic,static] |
| 233 | + --subid-source value the source of the subids. "dynamic" executes /usr/bin/getsubids. "static" reads /etc/{subuid,subgid}. [auto,dynamic,static] (default: "auto") |
233 | 234 | |
234 | 235 | ``` |
235 | 236 |
|
|
0 commit comments