rootless: require subids to be present #1097
Conversation
Most images won't work without multiple ids/gids. Error out
immediately if there are no multiple ids available.
The error code when the user is not present in /etc/sub{g,u}id looks
like:
$ bin/podman run --rm -ti alpine echo hello
ERRO[0000] No subuid ranges found for user "gscrivano"
Closes: containers#1087
Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
fix-multiple-uids-gids-rootless
branch
from
8bddbcf to
6bfa834
Compare
| @@ -104,6 +104,9 @@ func BecomeRootInUserNS() (bool, int, error) { | |||
| var uids, gids []idtools.IDMap | |||
| username := os.Getenv("USER") | |||
| mappings, err := idtools.NewIDMappings(username, username) | |||
| if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" { | |||
There was a problem hiding this comment.
nit: would be nice if the env var was documented (if you mean to support it, if not, feel free to ignore this comment)
There was a problem hiding this comment.
ah no, this is a hack just to make the CI happy with a single user. We will need to test the multiple uids/gids feature probably not as part of the integration tests
|
If podman knows that it is running as non root, can it look for the current UID of the user in /etc/subuid and /etc/subgid, and report the problem if they don't exist. grep dwalsh /etc/subuid || echo "This will not work" |
|
LGTM |
yes, this is what we currently do, before we re-exec into the user namespace we retrieve the subuids/subgids for the user. Before we didn't raise an error to accomodate the CI, but this PR changes it to be an error (something like "ERRO[0000] No subuid ranges found for user "gscrivano"), the env variable that allows a single user to be mapped inside the container is used and should be used only by the CI. |
|
Ok thanks for the explanation. |
|
📌 Commit 6bfa834 has been approved by |
|
⚡ Test exempted: pull fully rebased and already tested. |
github-actions
bot
added
the
locked - please file new issue/PR
Most images won't work without multiple ids/gids. Error out
immediately if there are no multiple ids available.
The error code when the user is not present in /etc/sub{g,u}ids looks
like:
$ bin/podman run --rm -ti alpine echo hello
ERRO[0000] No subuid ranges found for user "gscrivano"
Closes: #1087
Signed-off-by: Giuseppe Scrivano [email protected]