Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQUEST]: --userns=auto for build #4060

Closed
lukasmrtvy opened this issue Jun 16, 2022 · 6 comments · Fixed by #4064
Closed

[FEATURE REQUEST]: --userns=auto for build #4060

lukasmrtvy opened this issue Jun 16, 2022 · 6 comments · Fixed by #4064
Assignees
@flouthoc
Labels
locked - please file new issue/PR

Comments

@lukasmrtvy
Copy link

Description

Would be great to have a feature parity with podman run and implement support for --userns=auto flag for buildah. Thanks
@flouthoc
Copy link
Collaborator

@lukasmrtvy Thanks for creating the issue. I'll take a look at this. It would we nice if RFE also contains a small gist about the actual use-case which you are trying with build containers by running in unique user ns.

@lukasmrtvy
Copy link
Author

lukasmrtvy commented Jun 17, 2022
edited
Loading

Use case:

  • building and running third-party content on a single machine ( without any additional isolation/abstraction ), typically it can be a workflow scheduler/executor that runs arbitrary code from multiple users

Workaround:

  • running buildah in podman like podman run --userns=auto --isolation=chroot ... can probably do the trick but it could be a complex task to solve, as it involves exporting and reusing tar artifact

Does it make sense?

Thanks

@flouthoc
Copy link
Collaborator

@lukasmrtvy Sure thanks for sharing and makes sense to me :)

@flouthoc flouthoc self-assigned this Jun 17, 2022
@flouthoc flouthoc mentioned this issue Jun 20, 2022
Merged
@lukasmrtvy lukasmrtvy mentioned this issue Jun 21, 2022
Closed
@lukasmrtvy
Copy link
Author

lukasmrtvy commented Aug 24, 2022
edited
Loading

I am trying this implementation in Podman 4.2.0. Seems its working via CLI, but API call does not work.

Dockerfile

cat << EOF > Dockerfile
FROM alpine
RUN cat /proc/self/uid_map
EOF

Works correctly via CLI

podman build -t test --userns=auto .

Does not work via API

tar -czf context.tar.gz Dockerfile
curl -s --unix-socket /run/podman/podman.sock -X POST  -H "Content-Type:application/tar"  --data-binary "@context.tar.gz"   'http://d/v4.2.0/libpod/build?userns=auto'

@flouthoc
Copy link
Collaborator

@lukasmrtvy ackd.

@flouthoc
Copy link
Collaborator

flouthoc commented Aug 25, 2022
edited
Loading

This is a bug i think happening because IDMappingOptions ( https://github.com/containers/buildah/blob/main/define/build.go#L220 ) is not wired to API end , so this must be implemented at bindings end and must be processed and supplied to API end here https://github.com/containers/podman/blob/main/pkg/api/handlers/compat/images_build.go#L603

I'm assigning this issue to my self.

@flouthoc flouthoc mentioned this issue Aug 25, 2022
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 31, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@flouthoc flouthoc

Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build, userns: add support for --userns=auto flouthoc/buildah
2 participants
@lukasmrtvy @flouthoc