-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to share files between rstudio/rocker and external folders with podman #346
Comments
As you read this explanation, you may find it worthwhile to try changing the UID and GID of rstudio users by settings the following two options. rocker-versioned2/scripts/init_userconf.sh Lines 7 to 8 in eef72ff
https://www.rocker-project.org/use/managing_users/
|
@agila5 yeah, this is tricky in podman as you say. In standard docker runtime this is relatively simple, since the container has root permissions we can remap the rstudio user inside the container to the desired UID/GUIDs provided as you see in the script linked above. Actually I'm impressed you found a work-around in podman at all, and thanks for sharing it here! It does look a little cumbersome but not too bad, and may be a great help to any of our other podman users. If anyone does have a better solution in podman I'd love to see it too. |
rstudio on podman: workaround 2descriptionpodman, in root-less mode, implements a different user-mapping than docker. The "mapping" problem with rstudio is caused by the introduction of an "unprivileged" container user that owns the rsession behind rstudio-server (user rstudio, uid=1000, gid=1000) A possible solution is to run the container directly as user "root". This setting looks like a security hole, but in practice is much more secure than the docker (dangerous) practice of unrestricted daemon access (group docker membership), more unsecure than "sudo NOPASSWD".
workaroundTo run as root, a small patch is required in the image, in rserver.conf to enable uid=0 execution:
to run the image a possible command could be:
NOTE porman rootless requires examplefile accessin container (rstudio terminal)
in host, as outer normal user
processesin container
in host
|
rocker-versioned2/scripts/init_userconf.sh Lines 32 to 41 in 89d36d2
I am wondering if there is no need to set a lower limit to 499 here. |
I'm working on a project template that supports rstudio (with git support) running in a rootless podman image.
Here, during image build I run this script to enable internal root user in (rootless) podman container. My only issue is that, when run this on an Azure VM, the Detected suspicious use of the useradd command
Notes
|
@hute37 Thank you for sharing this! |
I have found a way to run rocker image rootless with podman and sharing folder (without having to run rstudio as root in the container). All praise goes to Erik Sjölund https://lists.podman.io/archives/list/[email protected]/thread/PZZQU2YDGVBHKONNXPMDVXHEBFGWGL3W/ I am not sure I fully understand the intermediate mapping of uid, but it seems to work flawlessly. From the mailing post slightly modifier for rocker tidyverse latest image.
Here is an example bash script using tidyverse:latest I use it to spawn pet container "on demand" using tidyverse:latest. I can open as many as I want on different ports, and work on different projects at the same time (I use firefox temp container to open each rstudio-rserver at the same time). BE CAREFUL: it disables authentication of the rstudio server!
|
In the "workaround 2" above, there is a problem related to the user login (as root) made by the rstudio-server. Running podman with In a practical scenario, I had to share a (cifs) mounted drive among several users, all belonging the the same "data" group. Running the server in I'll try the script for the "data sharing problem" ... warning: a password-less terminal enabled web server must be bound to localhost on a "single-user"1 machine, remotely accessible via ssh port forwarding. In any case (root or not), you have to consider the possible uploading your ssh GitHub pipeline enabled private keys to a malicious server, hidden inside some dependent package you install in rstudio ... Footnotes
|
Dear all, I have one question regarding the use of rocker/rstudio with podman in rootless mode.
I noticed that, by default, the external files are not writable from Rstudio (and vice versa) since only the owner of those files has write access and, by default, the owner is not the rstudio user used within the container.
By default, podman maps the external user group to root user group UID/GID 0 while the rstudio user has UID/GID 1000.
The only workaround we found is:
Do you know if there is an easier solution?
The text was updated successfully, but these errors were encountered: