Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support without user namespaces to --user flag #3561

Open
jwflory opened this issue Jul 11, 2019 · 9 comments

Comments

Projects
None yet
8 participants
@jwflory
Copy link
Contributor

commented Jul 11, 2019

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

docker run has the --user flag for specifying the default user of a container. This is a useful flag if you want to run a single-user/single-group container:

docker run --user=${username}:${group} --rm -it registry.fedoraproject.org/fedora:latest bash

It also does this without using user namespaces.

A user story:

User Justin is interested in evaluating the latest Tensorflow nightly image. He wants to use the upstream Docker Hub image and run it in a HPC environment as user jwflory without changing the Docker image or rolling his own.

Additional environment details (AWS, VirtualBox, physical, etc.):

I see this as being another workaround for #3478, along with containers/storage#383, without going to NFS / GPFS to add support for user namespaces.

@mheon

This comment has been minimized.

Copy link
Collaborator

commented Jul 11, 2019

This should be working already via podman run --user

@jwflory jwflory changed the title Add Docker-equivalent of --user flag for setting default user of container Add support without user namespaces to --user flag Jul 11, 2019

@mheon

This comment has been minimized.

Copy link
Collaborator

commented Jul 11, 2019

I think we need to figure out exactly what interaction between user namespaces and parallel filesystems is blowing us up.

Is this a kernel-level thing where any contact between the two is EPERM? Or is this just a user-mapping thing that we can solve by changing how we access content in /home?

@SEJeff

This comment has been minimized.

Copy link

commented Jul 11, 2019

@mheon this is the exact same problem as user namespaces on nfs. It simply doesn't work at all, and won't without updates to the protocol. We're (I work with @jwflory) looking for a way to disable user namespaces and run a container as a single user / group. The problem is that user namespaces don't work on shared filesystems. We'd like to be able to disable them for certain workloads.

@giuseppe talked with us via VC about this yesterday.

@baude

This comment has been minimized.

Copy link
Collaborator

commented Jul 11, 2019

should this be an RFE and titled something like "add ability to disable user namespaces"?

@mheon

This comment has been minimized.

Copy link
Collaborator

commented Jul 11, 2019

Ahhh, I think I understand where we're coming from now. I think there are definitely some obstacles to work through here, but it'd be properly neat to be able to launch without user namespaces - truly unprivileged containers, no setuid binaries or added caps anywhere.

@rhatdan

This comment has been minimized.

Copy link
Member

commented Jul 11, 2019

I think we need @giuseppe to comment on this one.

@giuseppe

This comment has been minimized.

Copy link
Member

commented Jul 12, 2019

It is not possible for an unprivileged user to setup a container without user namespaces. Without a user namespace the user won't be even able to setup the mount namespace or do a pivot_root/chroot inside the rootfs.

What I was suggesting is to force a user namespace with a single user mapped inside. Podman already does it by default if there are no additional UIDs/GIDs defined in the /etc/sub{u,g}id files.

The issue with remote file systems happens when you have multiple IDs in the container, so you must either ensure there are no additional IDs defined or force it with --uidmap 0:0:1, that creates an inner user namespace with only one UID available.

Setting --uidmap 0:0:1 currently fails, I've opened a PR here: #3563

@SEJeff

This comment has been minimized.

Copy link

commented Jul 16, 2019

@giuseppe can you also add that to the documentation somewhere? There is nowhere other than this ticket that it is very obvious to do that. It would be nice if it was somewhere sensible. Where would make the most sense?

@hypery2k

This comment has been minimized.

Copy link

commented Jul 23, 2019

any news for support on pull command?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.