Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

volumes: add new option idmap #12298

Merged

Conversation

giuseppe
Copy link
Member

pass down the "idmap" mount option to the OCI runtime.

Needs: containers/crun#780

Closes: #12154

[NO NEW TESTS NEEDED] there is no crun version yet that support the
new feature.

Test case (must run as root):

podman run --rm -v foo:/foo alpine touch /foo/bar

podman run --uidmap 0:1:1000 --rm -v foo:/foo:idmap alpine ls -l /foo
total 0
-rw-r--r-- 1 root root 0 Nov 15 14:01 bar

Signed-off-by: Giuseppe Scrivano [email protected]

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 15, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 15, 2021
@giuseppe giuseppe force-pushed the idmapped-bind-mounts branch from 36a8b8a to 3170904 Compare November 15, 2021 14:16
@giuseppe
Copy link
Member Author

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 15, 2021
giuseppe added a commit to giuseppe/common that referenced this pull request Nov 15, 2021
needed by containers/podman#12298

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe
Copy link
Member Author

c/common PR: containers/common#827

@@ -33,6 +33,10 @@ func ProcessOptions(options []string, isTmpfs bool, sourcePath string) ([]string
// Some options have parameters - size, mode
splitOpt := strings.SplitN(opt, "=", 2)
switch splitOpt[0] {
case "idmap":
if len(options) > 1 {
return nil, errors.Wrapf(ErrDupeMntOption, "'idmap' option can not be used with other options")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've copied the same logic as O.

I'll drop it

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am just wondering if this would be an issue with Z, or RO?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-v foo:/foo:idmap,Z seems to work fine

@@ -649,7 +651,9 @@ Current supported mount TYPEs are **bind**, **volume**, **image**, **tmpfs** and

. relabel: shared, private.

. U, chown: true or false (default). Change recursively the owner and group of the source volume based on the UID and GID of the container.
· idmap: true or false (default). If specified create an idmapped mount to the target user namespace in the container.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
· idmap: true or false (default). If specified create an idmapped mount to the target user namespace in the container.
· idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container.

@giuseppe giuseppe force-pushed the idmapped-bind-mounts branch from 018805f to 1bc19be Compare November 18, 2021 08:18
@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 18, 2021
@giuseppe giuseppe force-pushed the idmapped-bind-mounts branch from 1bc19be to a18624d Compare November 18, 2021 08:19
@openshift-ci openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 18, 2021
@giuseppe
Copy link
Member Author

comments addressed and pushed a new version

@rhatdan
Copy link
Member

rhatdan commented Nov 18, 2021

Tests are failing.

pass down the "idmap" mount option to the OCI runtime.

Needs: containers/crun#780

Closes: containers#12154

[NO NEW TESTS NEEDED] there is no crun version yet that support the
new feature.

Test case (must run as root):

podman run --rm -v foo:/foo alpine touch /foo/bar

podman run --uidmap 0:1:1000 --rm -v foo:/foo:idmap alpine ls -l /foo
total 0
-rw-r--r--    1 root     root             0 Nov 15 14:01 bar

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe force-pushed the idmapped-bind-mounts branch from a18624d to e83d366 Compare November 18, 2021 16:01
@giuseppe
Copy link
Member Author

rebased

@giuseppe
Copy link
Member Author

All green

@TomSweeneyRedHat
Copy link
Member

LGTM
and as @giuseppe noted, happy green test buttons.

@rhatdan
Copy link
Member

rhatdan commented Nov 18, 2021

/lgtm
/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 18, 2021
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 18, 2021
@openshift-merge-robot openshift-merge-robot merged commit 82a050a into containers:main Nov 18, 2021
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Shared mounts with UID/GID mapping
4 participants