podman: add uid and gid options to keep-id #15389
Conversation
openshift-ci
bot
added
the
do-not-merge/release-note-label-needed
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
approved
giuseppe
force-pushed
the
userns-map-user
branch
3 times, most recently
from
f466619 to
d342bf7
Compare
|
Rebasing will fix CI |
|
I like the idea, but this makes a lot of assumptions around the user knowing the UID inside of the container to run with. podman run --userns=keep-id:user ... Would be nicer, but as you say, you would need to do a lot more diagnosing to figure this out if the container run as the mysql user. |
giuseppe
force-pushed
the
userns-map-user
branch
from
d342bf7 to
995d0a1
Compare
|
Changes LGTM, but I"ll let @rhatdan give the final approval. |
|
changes LGTM |
|
rebased, tests are green now |
giuseppe
force-pushed
the
userns-map-user
branch
from
995d0a1 to
a4ba829
Compare
|
|
||
| Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the `size` option. | ||
|
|
||
| The rootless option `--userns=keep-id` uses all the subuids and subgids of the user. Using `--userns=auto` when starting new containers will not work as long as any containers exist that were started with `--userns=keep-id`. |
There was a problem hiding this comment.
This line does not appear in any other file (podman-create, podman-kube-play) and was not selected for the final winner.
|
|
||
| Example: `containers:2147483647:2147483648`. | ||
|
|
||
| Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinate user ids. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the `size` option. The `auto` options currently does not work in rootless mode |
There was a problem hiding this comment.
The final sentence ("auto options ... rootless mode") does not appear in the podman-run file. It does appear in podman-create and podman-kube-play and here (in the winner). Someone please confirm that it is applicable to podman-run also.
There was a problem hiding this comment.
oh that is a mistake, it works in rootless mode. I'll drop it
|
|
||
| **container:**_id_: join the user namespace of the specified container. | ||
|
|
||
| **host**: create a new namespace for the container. |
There was a problem hiding this comment.
This text loses out. Someone please double-check that the new text is applicable to kube-play.
|
|
||
| **nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user. | ||
|
|
||
| **ns:**_namespace_: run the container in the given existing user namespace. |
There was a problem hiding this comment.
Please change this to <<container|pod>>
There was a problem hiding this comment.
this is the path to an existing namespace. It can have the form /proc/$PID/ns/user as well as a path on the file system which pins an existing user namespace.
There was a problem hiding this comment.
I'm sorry, I don't understand how this addresses my request. I'll try to restate it in diff form:
- ...run the container in
+ ...run the <<container|pod>> inReason: you are including this new file in podman-kube-play, which talks in terms of pods, not containers.
I strongly encourage you to run hack/markdown-preprocess-review to verify your man-page changes. (Requires dnf install diffuse).
There was a problem hiding this comment.
This is still not addressed in your latest push. Is that an oversight, or is it deliberate?
There was a problem hiding this comment.
sorry, my fault. I misunderstood your comment earlier. I assumed it was about the _namespace_ bit.
I've fixed it now and pushed a new version.
|
bud test failure is the nasty |
|
ping, this is awaiting input from a |
Signed-off-by: Giuseppe Scrivano <[email protected]>
add two new options to the keep-id user namespace option:
- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: containers#15294
Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
userns-map-user
branch
from
a4ba829 to
898b157
Compare
|
addressed the comments and pushed a new version |
Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
userns-map-user
branch
from
898b157 to
8637548
Compare
|
@vrothberg could you PTAL at this flake when you get in Wednesday? Ununtu rootless, and it looks like the recent RHEL7 conmon bug: |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
add two new options to the keep-id user namespace option:
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: #15294
Does this PR introduce a user-facing change?