Rootless support
I see #52 is open for networking in rootless mode. However, it's not yet clear in docs how to run anything at all in rootless mode. I believe the bare minimum would be systemd-run --user --property=Delegate=true ./target/debug/auraed ..., but that doesn't really help (cell 'my-cell' could not be allocated: Operation not permitted (os error 1)). The origin of error is unclear, but likely to be in cgroup creation.
OS: Fedora 37, SELinux: enforcing, running systemd with cgroupv2.
AuraeScript code ran:
import * as runtime from "./auraescript/gen/runtime.ts"
let cells = new runtime.CellServiceClient();
let allocated = await cells.allocate(<runtime.AllocateCellRequest>{
cell: runtime.Cell.fromPartial({
name: "my-cell",
cpus: "2"
})
});
let started = await cells.start(<runtime.StartExecutableRequest>{
executable: runtime.Executable.fromPartial({
cellName: "my-cell",
command: "sleep 4000",
description: "Sleep for 4000 seconds",
name: "sleep-4000"
})
})
Sorry if something is very wrong on my side: I've only started working with Aurae, but very excited to start working with it, maybe contributing some code.
This is great! Thanks for bringing this up. We still have a lot of work to do with rootless mode. Currently allocating cells require privileged mode with Aurae however we are working towards Aurae being the daemon and the clients being able to schedule network devices without privilege.
For example if you run
sudo -E auraed
you will be able to execute AuraeScript against the daemon and it should work.
In the future we will allow that same AuraeScript (or any client) to be able to schedule networks and interfaces without root privileges. Hope this helps.
I'll be happy to work on this, thanks for explaining
Now it says cell 'my-cell' could not be allocated: File not found: /proc/0. Also, if I Ctrl-C the auraed process, it leaves cgroups behind requiring me to rmdir them manually.
i believe the end state we want to get to is:
- auraed runs from systemd, as a user that has permission to create and destroy cgroups (v2).
- clients (auraescript, ae, aer, etc) connect to auraed over gRPC and can run as any regular user.
i don't think we're very far from this today, though we don't have systemd configs set up.
That would not be rootless, but potentially that is not a critical feature for now? worth closing imo
at the moment there's no support for running auraed without root, or at least without a user with permission to create cgroups and maybe more.
so I think this issue is not an unknown issue, so I will close it.