Add support without user namespaces to --user flag

[jwflory]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

docker run has the --user flag for specifying the default user of a container. This is a useful flag if you want to run a single-user/single-group container:

docker run --user=${username}:${group} --rm -it registry.fedoraproject.org/fedora:latest bash

It also does this without using user namespaces.

A user story:

User Justin is interested in evaluating the latest Tensorflow nightly image. He wants to use the upstream Docker Hub image and run it in a HPC environment as user jwflory without changing the Docker image or rolling his own.

Additional environment details (AWS, VirtualBox, physical, etc.):

I see this as being another workaround for #3478, along with containers/storage#383, without going to NFS / GPFS to add support for user namespaces.

[mheon]

This should be working already via podman run --user

[mheon]

I think we need to figure out exactly what interaction between user namespaces and parallel filesystems is blowing us up.

Is this a kernel-level thing where any contact between the two is EPERM? Or is this just a user-mapping thing that we can solve by changing how we access content in /home?

[SEJeff]

@mheon this is the exact same problem as user namespaces on nfs. It simply doesn't work at all, and won't without updates to the protocol. We're (I work with @jwflory) looking for a way to disable user namespaces and run a container as a single user / group. The problem is that user namespaces don't work on shared filesystems. We'd like to be able to disable them for certain workloads.

@giuseppe talked with us via VC about this yesterday.

[baude]

should this be an RFE and titled something like "add ability to disable user namespaces"?

[mheon]

Ahhh, I think I understand where we're coming from now. I think there are definitely some obstacles to work through here, but it'd be properly neat to be able to launch without user namespaces - truly unprivileged containers, no setuid binaries or added caps anywhere.

[rhatdan]

I think we need @giuseppe to comment on this one.

[giuseppe]

It is not possible for an unprivileged user to setup a container without user namespaces. Without a user namespace the user won't be even able to setup the mount namespace or do a pivot_root/chroot inside the rootfs.

What I was suggesting is to force a user namespace with a single user mapped inside. Podman already does it by default if there are no additional UIDs/GIDs defined in the /etc/sub{u,g}id files.

The issue with remote file systems happens when you have multiple IDs in the container, so you must either ensure there are no additional IDs defined or force it with --uidmap 0:0:1, that creates an inner user namespace with only one UID available.

Setting --uidmap 0:0:1 currently fails, I've opened a PR here: #3563

[SEJeff]

@giuseppe can you also add that to the documentation somewhere? There is nowhere other than this ticket that it is very obvious to do that. It would be nice if it was somewhere sensible. Where would make the most sense?

[hypery2k]

any news for support on pull command?

[github-actions]

This issue had no activity for 30 days. In the absence of activity or the "do-not-close" label, the issue will be automatically closed within 7 days.

[mheon]

Support for squashing down to a single user has been added to Podman, which ought to resolve this