-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: chown() fails for rootful podman with --userns=auto on bind-mounts #17120
Comments
podman uses by default a smaller size for the user namespace: 1024 IDs, while CRI-O uses 65536. Could you try forcing a bigger size for the user namespace?
|
Thanks, that works. Why is this not necessary for rootless podman (APIVersion: 4.4.0-dev, GitCommit: 9311846), but is necessary for rootful podman (APIVersion: 4.3.2-dev, GitCommit: 588c6ec)? Moreover, when I have in |
https://docs.podman.io/en/latest/markdown/podman-run.1.html does not say that the default is size=1024. |
are you using
That is the entire range of IDs that are allocated for |
No. If I use it rootless and rootful behave more similar to each other. My understanding about https://docs.podman.io/en/latest/markdown/podman-run.1.html#userns-mode is:
Please adjust https://docs.podman.io/en/latest/markdown/podman-run.1.html#userns-mode to specify what is common and different when using rootful/rootless podman. |
Please also specify that in the default userns for rootful podman ("" or host - whatever it is), the size is 65536 and for auto the estimation is 1000, even it /etc/passwd contains a single line
I would expect that the entire space is allocated and the different containers running under userns=auto for the user «containers» share the UIDs: if two distinct containers use uid=5 in --userns=auto, then both users are mapped on the host to the same sub-uid. This might be not utterly secure, but this is my expectation and the documetation of |
After rereading https://docs.podman.io/en/latest/markdown/podman-run.1.html#userns-mode:
I agree that the created namespace is documented as distinct for different containers. That leaves unclear, how is size= guessed. |
It is documented "auto will estimate a size for the user namespace." We use a heuristic to find out the initial size, it looks into the container image and sees what users are defined there. If you want a specific size you need to specify it. If you've suggestions on how to improve the documentation, please open a PR. |
I filled #17156 . For me it is unclear how the auto:size= estimation works. Is it based on the content of the included /etc/passwd? Is it based on the USER directlive in Containerfile? Are there other criteria? |
It also finds the greatest UID defined in the container image. |
Issue Description
CRI-O can run rootful containers in userns. That is it switches from
root
to usercontainers
and from the perspective of the usercontainers
, /etc/subuid and /etc/subgid it allocates new mappings user-id-within-the-container ⇔ user-id-on-the-host-system.Rootless podman can do the same. (N.B. I try functional rootless podman and dysfunctional rootful podman on different systems).
But I cannot get this in rootful-podman version 4.3.2-dev. With
/etc/password containing
containers:x:1066:1066::/home/containers:/bin/sh
/etc/group containing
containers:x:1066:
/etc/subuid containing
containers:3638944:65536
/etc/subgid containing
containers:3638944:65536
I call
/usr/local/bin/podman run --cap-add=IPC_LOCK --log-driver=none --net=host --read-only --read-only-tmpfs=false --mount type=bind,src=/etc/k,dst=/conf --rm=true -a=stderr -a=stdout -a=stdin --userns=auto --name=k-run --tty localhost/k:2023-01-14
Under strace it executes:
and
Without --userns=auto above, this does run properly:
/etc/k/k=
belongs to user 1065, group 1065.Steps to reproduce the issue
See above.
Describe the results you received
See above.
Describe the results you expected
chown("/conf/k_ctl", 1065, 1065)
shall work under--userns=auto
.podman info output
Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
No
Additional environment details
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: