[Improvement] Map host's groups in the container #121
Comments
89luca89
added
enhancement
|
containers/podman#10166 (comment) Here a nice explanation of what's happening in the container. So doing an experiment with the On the host we have an user in the ~$ id
uid=1001(luca-linux) gid=1001(luca-linux) groups=1001(luca-linux),135(libvirt)
~$ mkdir ~/test; chmod 0770 ~/test; sudo chown root:libvirt ~/test
~$ ls -ld ~/test
drwxrwx--- 2 root libvirt 4096 gen 16 01:01 /home/luca-linux/testIf we create the new container with the proper flag, in the container we'll see: luca.di.maio@test:~$ ls -ld test
drwxrwx--- 2 nobody nobody 4096 Jan 16 01:01 testSeems like the luca.di.maio@test:~$ ls -la test
total 8
drwxrwx--- 2 nobody nobody 4096 Jan 16 01:01 .
drwxr-xr-x 33 luca.di.maio luca.di.maio 4096 Jan 16 01:01 ..If from outside the container we change the group to something else: ~$ chown root:video test/
~$ distrobox enter test
luca.di.maio@test:~$ ls -la test
ls: cannot open directory 'test': Permission denied
luca.di.maio@test:~$ ls -ld test
drwxrwx--- 2 nobody nobody 4096 Jan 16 01:01 testAs explained in the linked issue, the group keeps what the parent process can do (so in this case what the $USER can do outside the container) and propagate it inside the container. Group names/ids are still not mapped inside. This is still enough to grant the funcionality for sockets like docker, libvirtd and so on |
As for now, if using rootless podman, it is not possible to access files from other groups.
This makes impossible to use, from within the rootless container, suff like
A possible solution is to use the annotation:
--annotation run.oci.keep_original_groups=1As stated in this RedHat article with that flag crun will be instructed to map also other groups inside the container, not only the user and root.
Let's think of this as a default that can be toggled off for #28
The text was updated successfully, but these errors were encountered: