chown: use overflow id as fallback when chowning #1220
Conversation
giuseppe
force-pushed
the
chown-to-overflow-id
branch
3 times, most recently
from
3c4d211
to
52b4926
Compare
|
What happens if I have no UIDs in /etc/subuid, does this effectively do ignore_chown? Or is this different? |
|
LGTM |
they happen in two different times. ignore_chown is needed when a rootless user pulls an image in its initial user namespace (the The use case I am trying to address here instead is when an image already present in the storage must be chowned before it can be used in a user namespace. In this case, both for rootful and rootless, the user specifies the user namespace mappings or size (through I think in this case we should not error out but do what the user asked to do. We need to fit the image in the specified mappings and if something cannot be mapped then use the overflow IDs. |
|
Should we at least logrus.Warnf? |
I'd expect that to be too verbose when used from CRI-O. Maybe Debugf? |
|
Ok add debugf. |
giuseppe
force-pushed
the
chown-to-overflow-id
branch
from
52b4926
to
9d6dd12
Compare
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
add a new function ToHostOverflow() that instead of raising an error when the mapping is not possible in the target user namespace, fall back to using the overflow ID. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
when chowning an image, fall back to the overflow ID when a UID or GID cannot be mapped to the target user namespace. This ensures the chown driver works similar to what we do with idmapped mounts when it is supported for overlay. It is needed for CRI-O to support user namespaces in Kubernetes since the Kubelet picks a static size for the user namespace and it might break some images using IDs outside the picked range. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe
force-pushed
the
chown-to-overflow-id
branch
from
9d6dd12
to
28c166f
Compare
added |
|
What's the intent of the |
I've seen this test failing multiple times, and it wasn't clear where exactly it was failing, so the intent is to make it clearer. If you don't like it, I can open a PR to revert the change |
|
The intent wasn't documented, AFAICT, anywhere, which means there's nothing preventing another maintainer from concluding that it was done on a whim, and then quietly reverting it if we do another rebase onto from moby's version. |
when chowning an image, fall back to the overflow ID when a UID or GID cannot be mapped to the target user namespace.
This ensures the chown driver works similar to what we do with idmapped mounts when it is supported for overlay.
It is needed for CRI-O to support user namespaces in Kubernetes since the Kubelet picks a static size for the user namespace and it might break some images using IDs outside the picked range.
Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com