-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support without user namespaces to --user flag #3561
Comments
This should be working already via |
I think we need to figure out exactly what interaction between user namespaces and parallel filesystems is blowing us up. Is this a kernel-level thing where any contact between the two is EPERM? Or is this just a user-mapping thing that we can solve by changing how we access content in /home? |
@mheon this is the exact same problem as user namespaces on nfs. It simply doesn't work at all, and won't without updates to the protocol. We're (I work with @jwflory) looking for a way to disable user namespaces and run a container as a single user / group. The problem is that user namespaces don't work on shared filesystems. We'd like to be able to disable them for certain workloads. @giuseppe talked with us via VC about this yesterday. |
should this be an RFE and titled something like "add ability to disable user namespaces"? |
Ahhh, I think I understand where we're coming from now. I think there are definitely some obstacles to work through here, but it'd be properly neat to be able to launch without user namespaces - truly unprivileged containers, no setuid binaries or added caps anywhere. |
I think we need @giuseppe to comment on this one. |
It is not possible for an unprivileged user to setup a container without user namespaces. Without a user namespace the user won't be even able to setup the mount namespace or do a pivot_root/chroot inside the rootfs. What I was suggesting is to force a user namespace with a single user mapped inside. Podman already does it by default if there are no additional UIDs/GIDs defined in the /etc/sub{u,g}id files. The issue with remote file systems happens when you have multiple IDs in the container, so you must either ensure there are no additional IDs defined or force it with Setting |
@giuseppe can you also add that to the documentation somewhere? There is nowhere other than this ticket that it is very obvious to do that. It would be nice if it was somewhere sensible. Where would make the most sense? |
any news for support on pull command? |
This issue had no activity for 30 days. In the absence of activity or the "do-not-close" label, the issue will be automatically closed within 7 days. |
Support for squashing down to a single user has been added to Podman, which ought to resolve this |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind feature
Description
docker run
has the--user
flag for specifying the default user of a container. This is a useful flag if you want to run a single-user/single-group container:docker run --user=${username}:${group} --rm -it registry.fedoraproject.org/fedora:latest bash
It also does this without using user namespaces.
A user story:
Additional environment details (AWS, VirtualBox, physical, etc.):
I see this as being another workaround for #3478, along with containers/storage#383, without going to NFS / GPFS to add support for user namespaces.
The text was updated successfully, but these errors were encountered: