Option to use UIDs only once #7778
Comments
openshift-ci-robot
added
the
kind/feature
|
@rhatdan PTAL |
|
To the best of my knowledge, we don't have a way to do that yet. A challenge is to keep track of which IDs are used where and when. |
|
to give more context: i am currently doing something like this before starting the container: |
|
So you would like something like Where the volume would get chowned to match the UID_inside mapped to the user namespace, Similar to what we do with :Z and :z? |
This would be convenient since it eliminates the first step (or parts of it, since i would still have to query the UID_INSIDE somehow first). However, the reason for this feature request is the fact that many containers (of arbitrary images) will end up having the same UID_INSIDE, which would not separate the namespace on the filesystem level if bind-mounts are used, unless podman learns to give out mapped UIDs only once somehow. |
|
But I am not even sure that this is what people want. They might have volumes that they want to share between containers and want the UIDs to be the same. I don't see a way for podman to necessarily know the UID of the container unless it is specified in the image. IE default for the container. We have thought about chowning based on the UID of the volume. In this case if the container ran as the apache user then podman with chown the volume to match the appache User Based on the user namespace that you assigned. I think we could get you partially what you want with a feature like this and then --userns=auto feature. Then each container would be run in a different user namespace. and would have different owners of the volume. |
you mean podman would look at the volume folder ownership on the inside and chown the folder on the outside so that it matches to the reverse-mapped user? Sounds super useful. +1
If i understand that correctly its pretty much exactly what i want :) Reminds me a little bit on systemd's DynamicUser=yes The :U addition combined with --userns=auto would also allow me to start the container with a single podman command as a bonus. |
|
Interested in opening a PR? |
|
who? me? I am only here to ask nicely :) I am fairly new to podman and asked on the IRC channel if something like this would be possible with podman when @vrothberg suggested to me to open this issue. |
rhatdan
added
the
Good First Issue
|
Sure we always ask. We are looking for people to fix code, maybe someone else will grab this. Or we will get a core maintainer on it. |
|
@rhatdan I would like to help on this one. |
TomSweeneyRedHat
added
the
In Progress
|
@EduardoVega Thanks for volunteering! I've just assigned the issue to you and have added the "In Progress" label to the issue. |
|
@EduardoVega Any progress on this? |
|
@rhatdan Hi. I should be able to send something today/tomorrow. |
|
A friendly reminder that this issue had no activity for 30 days. |
|
This is still being worked on in buildah, |
|
A friendly reminder that this issue had no activity for 30 days. |
|
Merged into Buildah, now being worked on in Podman. |
|
A friendly reminder that this issue had no activity for 30 days. |
|
@EduardoVega Can you start working on getting the "U" into podman? |
github-actions
bot
added
the
locked - please file new issue/PR
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind feature
Description
Currently users of the same UID are always mapped to the same user on the host. User foo (UID 5) of imageA would be the same user as user bar (UID 5) of imageB. Since UIDs are given out sequentially, its fairly common that two arbitrary images would end up with users with the same ID.
When using bind mounts it might be desirable to chown the folders to unique UIDs (before starting the container), so that namespace separation can be maintained on the filesystem level too.
Podman could help to keep track of UIDs used in running containers and (optionally) make sure that every ID is only used once . Analog to the way how PIDs on the host work basically.
The text was updated successfully, but these errors were encountered: