-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
namespaces: allow configuring keep-id userns size #24882
Conversation
8f3662a
to
67318cf
Compare
LGTM |
How should this be integrated in to newer projects like distrobox? A version check to see if podman is > 5.3.1? Othersize size is undefined. |
67318cf
to
5f2b57b
Compare
I'm going to test this this weekend and try to integrate it in to distrobox to see if this works for my use case. I'll report back if it's a good solution for this problem. |
personally I don't like version checks, it is error prone and it won't work if we backport the feature to older releases. You could just run a simple container with that option and see if it works |
even better if you specify the correct size you plan to use, so the image is copied and chowned only once |
Okay, thanks for the advice. I guess follow-up question is whether this will cause each container to have a different set of UIDs if I've never run --userns=auto before? It's a bit confusing how these interact. |
|
Good news: I have tested this with a modified distrobox and it works well! I can now run my userns=auto containers AND userns=keep-id:size=65536 distroboxes on my machine. Bad news: I started looking at how to use this in distrobox. I can't guarantee 'podman run --rm --userns=keep-id:size=65336 $IMG /bin/true' will work as I can't guarantee the image will have /bin/true or really any specific binary. Would it be safe to take exit code 127 as success in this case? My current code looks like this:
Edit: This works perfectly fine, but it seems a little non-ideal. |
would be enough to just create the container without running it? |
Running this on a regular podman doesn't error:
```
podman create archlinux --userns=keep-id:size=65536
```
Despite no size argument being implemented.
…On Sat, Dec 21, 2024 at 11:06:00PM -0800, Giuseppe Scrivano wrote:
would be enough to just create the container without running it? `podman create` instead of `podman run`
--
Reply to this email directly or view it on GitHub:
#24882 (comment)
You are receiving this because you commented.
Message ID: ***@***.***>
|
Can you add the new |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
sure. Added a new test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the size argument is fine but is this actually what the original use case wants? I feel like forcing everyone to add size doesn't improve the situation that a keep-id makes all other userns=auto fail. That seems backwards because we now keep-id means all uids, just like userns=host (default) means all uids are mapped. So why would we allow userns=host and auto to coexists while userns=keep-id and auto means error.
I think fixing that might be much more useful than requiring all users to manually specify a size for keep-id. Anyway that is no point again having this option.
if opts.MaxSize != nil && !rootless.IsRootless() { | ||
return user, fmt.Errorf("cannot set max size for user namespace when not running rootless") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not? Could we not just limit the rootful size in the same way as done for rootless?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keep-id with root is a no-op. It doesn't currently create a user namespace
@@ -62,6 +62,7 @@ For details see **--uidmap**. | |||
|
|||
- *uid*=UID: override the UID inside the container that is used to map the current user to. | |||
- *gid*=GID: override the GID inside the container that is used to map the current user to. | |||
- *size*=SIZE: override the size of the configured user namespace. It is useful to not saturate all the available IDs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if size is really not support as root it should be documented here
For sure it would be better if keep-id and nomap and friends just limited their scope to 65536 or similar automatically so everything would just work, but would that break existing tools? |
users using I don't see how the two worlds can work well together. The issue would exist also with containers not using a user namespace, since they use all the available IDs. |
Introduce a new option "size" to configure the maximum size of the user namespace configured by keep-id. Closes: containers#24837 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe But the thing is
This works fine an non user namesapced container does not block all uids
But keep-id blocks all uids, so that logic seems inconsistent. |
are you suggesting we ignore We could argue about a better solution, but I don't see any downside if we allow to customize the user namespace size for the |
Yes I know it is not easy, just saying the current way feels inconsistent.
Right as I said in my original comment I am totally fine with this PR alone. I just do not think the use case of the issue is not solved in the best way with it but it certainly improves it so this is good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, Luap99 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
Introduce a new option "size" to configure the maximum size of the user namespace configured by keep-id.
Closes: #24837