Feature request description
Running rootful-in-rootless requires something like this:
$ podman run --device /dev/fuse --security-opt unmask=ALL podman sh -c 'id; podman run --mount type=bind,source=/dev/null,target=/dev/mqueue alpine id'
The --device can be specified in containers.conf like this:
[containers]
devices=["/dev/fuse:/dev/fuse:rwm"]
And the /dev/mqueue stuff is containers/crun#2080. However, I can't seem to find a way to specify --security-opt unmask=ALL as a default in containers.conf, to make it all work without manual overrides. It would be nice to have that.
Suggest potential solution
Add an option to containers.conf to specify unmask options, similar to --security-opt unmask=
Have you considered any alternatives?
I haven't been able to find any other way to do this. The goal is to make this work with forgejo-runner, which hits the Docker API of the podman daemon and there's no way to pass in something like --security-opt unmask=ALL through that stack.
Feature request description
Running rootful-in-rootless requires something like this:
The
--devicecan be specified in containers.conf like this:And the
/dev/mqueuestuff is containers/crun#2080. However, I can't seem to find a way to specify--security-opt unmask=ALLas a default incontainers.conf, to make it all work without manual overrides. It would be nice to have that.Suggest potential solution
Add an option to
containers.confto specify unmask options, similar to--security-opt unmask=Have you considered any alternatives?
I haven't been able to find any other way to do this. The goal is to make this work with
forgejo-runner, which hits the Docker API of the podman daemon and there's no way to pass in something like--security-opt unmask=ALLthrough that stack.