-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support single-uid/gid rootless mode #1651
Comments
@giuseppe WDYT on this one? |
we internally support it for testing but I don't think it should be enabled for all users, as most images will stop working. On the other hand, I don't like to put arbitrary limitations if the users wish so, maybe it can be a configuration for |
I suggest setting |
@AkihiroSuda @giuseppe What is going on with this issue? |
Would be valuable in an Active Directory environment. |
We need to get /etc/subuid and /etc/subgid into nsswitch so it can be managed in ldap, Active Directory/IPA. |
I don't disagree that tons of images won't work with a single uid, but there are also simple use cases where we'd like to use podman as a glorified chroot running a single process as the existing user. In those cases, everything inside the image should be owned by that user, and arguably the container user should also remain that user (rather than becoming root in the container). |
How hard would it be to automatically squash all the uids in the image down to a single one? |
I don't think there needs to be any uid squashing, it just needs to skip the lchown after the image layers are downloaded. |
As the image is pulled they are lchowned not afterwards. The UIDs are set at while the image is being installed. I have no problem with allowing any UID Range. And throwing errors when UID's are chosen outside of the range. Currently podman is requiring 65000 or so UIDs, which I think is wrong. We should just go with whatever is defined in /etc/subuid and /etc/subgid and setup the usernamespace + the users UID. If there is nothing in /etc/subuid and /etc/subgid, we should just warn and continue. |
I will work on this feature, since so many users are asking for it. We should improve the errors in containers/storage to detect if the id is not available and error out if the image requires so. |
PR here: #2604 |
we were playing safe and not allowed any container to have less than 65536 mappings. There are a couple of reasons to change it: - it blocked libpod to work in an environment where newuidmap/newgidmap are not available, or not configured. - not allowed to use different partitions of subuids, where each user has less than 65536 ids available. Hopefully this change in containers/storage: containers/storage#303 will make error clearers if there are not enough IDs for the image that is being used. Closes: containers#1651 Signed-off-by: Giuseppe Scrivano <[email protected]>
kind feature
Description
In a multi-rootless-tenant setup where users are authenticated via NIS, it's not practical to deploy /etc/subuid or /etc/subgid. In those cases, we must run in single-uid/gid mode, at least until there is support for some sort of dynamic subuid assignment.
Off the top of my head, we would need a few changes to support single-uid/gid mode:
I'm not an expert in the podman codebase, so opening this up as more of a discussion to see what complications may arise.
The text was updated successfully, but these errors were encountered: