aurae icon indicating copy to clipboard operation
aurae copied to clipboard
verified publisher icon aurae-runtime

Rootless support

Open dsseng opened this issue 3 years ago • 3 comments

I see #52 is open for networking in rootless mode. However, it's not yet clear in docs how to run anything at all in rootless mode. I believe the bare minimum would be systemd-run --user --property=Delegate=true ./target/debug/auraed ..., but that doesn't really help (cell 'my-cell' could not be allocated: Operation not permitted (os error 1)). The origin of error is unclear, but likely to be in cgroup creation.

OS: Fedora 37, SELinux: enforcing, running systemd with cgroupv2.

AuraeScript code ran:

import * as runtime from "./auraescript/gen/runtime.ts"

let cells = new runtime.CellServiceClient();

let allocated = await cells.allocate(<runtime.AllocateCellRequest>{
    cell: runtime.Cell.fromPartial({
        name: "my-cell",
        cpus: "2"
    })
});

let started = await cells.start(<runtime.StartExecutableRequest>{
    executable: runtime.Executable.fromPartial({
        cellName: "my-cell",
        command: "sleep 4000",
        description: "Sleep for 4000 seconds",
        name: "sleep-4000"
    })
})

Sorry if something is very wrong on my side: I've only started working with Aurae, but very excited to start working with it, maybe contributing some code.

dsseng avatar Jan 07 '23 19:01 dsseng

This is great! Thanks for bringing this up. We still have a lot of work to do with rootless mode. Currently allocating cells require privileged mode with Aurae however we are working towards Aurae being the daemon and the clients being able to schedule network devices without privilege.

For example if you run

sudo -E auraed

you will be able to execute AuraeScript against the daemon and it should work.

In the future we will allow that same AuraeScript (or any client) to be able to schedule networks and interfaces without root privileges. Hope this helps.

krisnova avatar Jan 08 '23 03:01 krisnova

I'll be happy to work on this, thanks for explaining

dsseng avatar Jan 08 '23 06:01 dsseng

Now it says cell 'my-cell' could not be allocated: File not found: /proc/0. Also, if I Ctrl-C the auraed process, it leaves cgroups behind requiring me to rmdir them manually.

dsseng avatar Jan 08 '23 06:01 dsseng

i believe the end state we want to get to is:

  1. auraed runs from systemd, as a user that has permission to create and destroy cgroups (v2).
  2. clients (auraescript, ae, aer, etc) connect to auraed over gRPC and can run as any regular user.

i don't think we're very far from this today, though we don't have systemd configs set up.

dmah42 avatar Jun 25 '24 14:06 dmah42

That would not be rootless, but potentially that is not a critical feature for now? worth closing imo

bpmooch avatar Aug 04 '24 13:08 bpmooch

at the moment there's no support for running auraed without root, or at least without a user with permission to create cgroups and maybe more.

so I think this issue is not an unknown issue, so I will close it.

dmah42 avatar Aug 04 '24 19:08 dmah42