View Source Stdio.Rootless (stdio v0.4.4)

Linux processes running in a user namespace.

Proof of concept behaviour to run "rootless" Linux processes or processes that have root privileges in a user namespace.

Privileges

No extra privileges are required but user namespaces must be enabled on your platform:

$ sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 1

# to enable:
$ sysctl -w kernel.unprivileged_userns_clone=1

Operations

Note

To mount a namespaced root (chroot) directory, the chroot directory structure must be created before using this behaviour.

See Stdio.Container.make_chroot_tree!/0 and Stdio.Container.make_chroot_tree!/1.

See Stdio.config/0 for configuration options.

Examples

iex> Stdio.stream!("pstree", Stdio.Rootless) |> Enum.to_list()
[stdout: "Supervise---sh---pstree\n", exit_status: 0]

iex(1)> Stdio.stream!("ip --oneline -4 addr show dev lo", Stdio.Rootless, net: :host, setuid: true) |> Enum.to_list()
[
  stdout: "1: lo    inet 127.0.0.1/8 scope host lo\\       valid_lft forever preferred_lft forever\n",
  exit_status: 0
]