Add new --userns flag --userns=sync-id #15294
Assignees
Labels
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
Comments
rhatdan
changed the title
|
What do you think of --userns=sync-id? |
|
I linked a use case on a MAC that we are hitting now, where a container wants to create files on a volume that do not match the UID of the user running Podman. It is failing since the :U is not allowed on a mac file system. |
|
I suggested this a while back, but there has been a general lack of interest. No objection to adding it. |
|
Well I guess I did not pay attention to you. :^( |
giuseppe
added a commit
to giuseppe/libpod
that referenced
this issue
Aug 19, 2022
add two new options to the keep-id user namespace option:
- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: containers#15294
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
it is not a complete solution but I've opened a PR to add the Solving the problem in a completely automatic way would require more steps. We need to mount the container storage to parse the |
giuseppe
added a commit
to giuseppe/libpod
that referenced
this issue
Aug 19, 2022
add two new options to the keep-id user namespace option:
- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: containers#15294
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
added a commit
to giuseppe/libpod
that referenced
this issue
Aug 19, 2022
add two new options to the keep-id user namespace option:
- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: containers#15294
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
added a commit
to giuseppe/libpod
that referenced
this issue
Aug 19, 2022
add two new options to the keep-id user namespace option:
- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: containers#15294
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
added a commit
to giuseppe/libpod
that referenced
this issue
Aug 22, 2022
add two new options to the keep-id user namespace option:
- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: containers#15294
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
added a commit
to giuseppe/libpod
that referenced
this issue
Aug 24, 2022
add two new options to the keep-id user namespace option:
- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: containers#15294
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
added a commit
to giuseppe/libpod
that referenced
this issue
Aug 30, 2022
add two new options to the keep-id user namespace option:
- uid: allow to override the UID used inside the container.
- gid: allow to override the GID used inside the container.
For example, the following command will map the rootless user (that
has UID=0 inside the rootless user namespace) to the UID=11 inside the
container user namespace:
$ podman run --userns=keep-id:uid=11 --rm -ti fedora cat /proc/self/uid_map
0 1 11
11 0 1
12 12 65525
Closes: containers#15294
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
github-actions
bot
added
the
locked - please file new issue/PR
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Basically currently we default in rootless users UID to root user.
--userns=keep-id maps your UID outside of container to UID inside of container.
--userns=keep-id-app would map your UID to the default UID of the app run within the container.
Meaning
IE On the host my UID 3267 ends up getting mapped to UID 1234 inside of the container.
The benefit of this is it would fix issues like
#15292
The text was updated successfully, but these errors were encountered: