Polish documentation for using BenchExec in a container

We want to provide a full usable command line in the main installation docs and not have the information split on two documentation pages. Using the container mode of BenchExec is not so rare anymore that we document it separately. And because people misunderstand what to do for Docker, also copy the instructions for Docker into the main documentation.
sosy-lab · May 29, 2024 · 901b50c · 901b50c
1 parent 6467aa5
commit 901b50c
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/doc/INSTALL.md b/doc/INSTALL.md
@@ -334,20 +334,32 @@ If you want to run BenchExec inside a container,
 we recommend Podman and systems with cgroups v2.
 Then use the following command-line arguments:
 
-    podman run --security-opt unmask=/sys/fs/cgroup --cgroups=split ...
-
-This will work if BenchExec is the main process inside the container,
-otherwise you need to create an appropriate cgroup hierarchy inside the container,
+    podman run --security-opt unmask=/sys/fs/cgroup --cgroups=split --security-opt unmask=/proc/* --security-opt seccomp=unconfined ...
+
+This allows BenchExec to use cgroups and create its own containers inside the Podman container.
+
+Using Docker is also possible, but only using the `--privileged` argument.
+However, this gives your Docker container *full root access* to the host,
+so please also add the `--cap-drop=all` flag,
+make sure to use this only with trusted images,
+and configure your Docker container such that everything in it
+is executed under a different user account, not as root.
+BenchExec is not designed to run as root and does not provide
+any safety guarantees regarding its container under this circumstances.
+
+For both Podman and Docker this will work
+if BenchExec is the main process inside the container,
+otherwise you need to manually create an appropriate cgroup hierarchy inside the container,
 i.e., one where BenchExec has its own separate cgroup.
 
-For other cases, e.g., with cgroups v1,
+For systems with cgroups v1,
 please use the following command line argument
 to mount the cgroup hierarchy within the container when starting it
 (same for Podman):
 
     docker run -v /sys/fs/cgroup:/sys/fs/cgroup:rw ...
 
-Note that you additionally need some flags for container mode,
+Note that you need some additional flags for container mode,
 which are explained in the [container documentation](container.md#using-benchexec-in-a-dockerpodman-container).
 
 ### Testing Cgroups Setup and Known Problems

diff --git a/doc/container.md b/doc/container.md
@@ -185,7 +185,7 @@ because it provides "rootless" containers
 To use BenchExec within Podman,
 start it as a regular user (not root) and use the following arguments:
 ```
-podman run --security-opt unmask=/proc/* --security-opt unmask=/sys/fs/cgroup --security-opt seccomp=unconfined ...
+podman run --security-opt unmask=/proc/* --security-opt seccomp=unconfined ...
 ```
 You may additionally need the arguments documented for
 [cgroup usage](INSTALL.md#setting-up-cgroups-in-a-dockerpodman-container).