[CI:DOCS] podman --userns: clarify auto works for rootful containers, too #17156
Conversation
|
@dilyanpalauzov: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
do-not-merge/release-note-label-needed
| @@ -4,14 +4,14 @@ | |||
| ####> are applicable to all of those. | |||
| #### **--userns**=*mode* | |||
|
|
|||
| Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options. | |||
| Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. When the environment variable is not set, it defaults to **host**, not to "". An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options. | |||
There was a problem hiding this comment.
an empty string "" or host should be equivalent so I don't think it is necessary to specify the not to "" part.
There was a problem hiding this comment.
An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the --uidmap and --gidmap options.
I think this is not correct. When I call rootless podman without --userns=, for that user /etc/subuid contains d:100000:65536, and the container creates (from its perspective as root) a file, on the host the file is owned by UID 100000. For me this means that newuidmap is utilized and therefore user-namespace is entered.
The cited sentence says in this case: user namespaces are enabled. Isn’t this a contradiction?
There was a problem hiding this comment.
The cited sentence says in this case: user namespaces are enabled.
READ
The cited sentence says in this case: user namespaces are DISABLED. Isn’t this a contradiction?
There was a problem hiding this comment.
rootless will always run in a user namespace, there is no way to make podman work without this
host or "" just means that there is no extra user namespace created for this container, instead it will use the one from the current process.
In the past such texts in DCO were accepted, while commits without DCO were not accepted. |
|
A DCO is required, your rant about is not. I read commit messages and that useless extra content just wastes my time. |
dilyanpalauzov
force-pushed
the
userns_rootful_auto
branch
2 times, most recently
from
ce7ce5e
to
d9a9105
Compare
| Key | Host User | Container User | ||
| ----------|-------------|--------------------- | ||
| "" or host|$UID | 0 (Default User account mapped to root user in container.) | ||
| keep-id |$UID | $UID (Map user account to same UID within container.) |
There was a problem hiding this comment.
Does this work in rootful mode.
# podman run --userns=keep-id alpine echo hi
Error: keep-id is only supported in rootless mode
podman run --userns=nomap alpine echo hi
Error: nomap is only supported in rootless mode
| Key | Host User | Container User | ||
| ----------|-------------|--------------------- | ||
| "" or host|$UID | 0 (Default User account mapped to root user in container.) | ||
| keep-id |$UID | $UID (Map user account to same UID within container.) | ||
| keep-id:uid=200,gid=210 |$UID| 200:210 (Map user account to specified uid, gid value within container.) | ||
| auto |$UID | nil (Host User UID is not mapped into container.) | ||
| nomap |$UID | nil (Host User UID is not mapped into container.) |
There was a problem hiding this comment.
# podman run --userns=nomap alpine echo hi
Error: nomap is only supported in rootless mode
| "" |$UID |0 (Default User account mapped to root user in container.) | ||
| keep-id |$UID |$UID (Map user account to same UID within container.) | ||
| "" or host|$UID | 0 (Default User account mapped to root user in container.) | ||
| keep-id |$UID | $UID (Map user account to same UID within container.) |
There was a problem hiding this comment.
# podman run --userns=keep-id alpine echo hi
Error: keep-id is only supported in rootless mode
# podman run --userns=nomap alpine echo hi
Error: nomap is only supported in rootless mode
There was a problem hiding this comment.
This is correct, but the next lines contain:
The rootless option
--userns=keep-iduses all the subuids and subgids of the user.
keep-id: creates a user namespace where the current rootless user's UID:GID are mapped to the same values in the container. This option is not allowed for containers created by the root user
nomap: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
To be precise, this text:
The rootless option
--userns=keep-iduses all the subuids and subgids of the user.
is in fact present in userns.container.md and absent from userns.pod.md.
I think the above lines spell sufficiently clear, that keep-id and nomap are not allowed for rootful podman.
|
Ok you need to sign your commits. |
rhatdan
changed the title
| @@ -4,16 +4,16 @@ | |||
| ####> are applicable to all of those. | |||
| #### **--userns**=*mode* | |||
|
|
|||
| Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options. | |||
| Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") or **host** means user namespaces are disabled, unless an explicit mapping is set with the **--uidmap** and **--gidmap** options or podman is rootless. | |||
There was a problem hiding this comment.
I'm not at all gronking "or host". Does that mean --userns=127.0.0.1 and --userns=myhost.mycompany.com are valid? There is no mention of host prior to this, and only one way down lower in this page. Examples for this, and other possible settings that might be found in this file would be a very welcomed addition to this man page.
There was a problem hiding this comment.
An empty value ("") or host means …
This wording is chosen in order to emphasize that empty value and host have the same meaning. I am not aware of open tickets, claiming that it is unclear how to interpret host, except #15764, which is from me.
There was a problem hiding this comment.
I think host is fine, that has the same meaning as any other namespace
I am not going to remove the text. Or rather, the commit contains now |
|
I think the DCO check is looking for a blank line between the title and the first line of description, please rewrite your description like that and the DCO should pass. |
dilyanpalauzov
force-pushed
the
userns_rootful_auto
branch
from
d9a9105
to
bdf5a2e
Compare
|
please provide a valid DCO, the commit cannot be accepted otherwise |
and the default when PODMAN_USERNS is missing. Insisting on “DCO” imposes formalities, that serve self-purpose. One cannot assume that the submitter has time or will to read texts about symbolism in software contributions. If the system wants to see the text nrEAUIEUAIe eanuitdnuae EAIUEAUIAIE »ℓ§444.3.72b)°»°ℓ§euaieauuae in each commit, people will write this, or any other text, that the system wants to see. All such text, which presence is mandated by the system, has the same value. Signed-off-by: Дилян Палаузов <git-dpa@aegee.org>
dilyanpalauzov
force-pushed
the
userns_rootful_auto
branch
from
bdf5a2e
to
f4178bd
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dilyanpalauzov The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Please remove this this part of your commit message. |
|
|
I am not going to submit changesets to this project anymore. |
|
Sorry you feel that way @dilyanpalauzov |
github-actions
bot
added
the
locked - please file new issue/PR
and the default when PODMAN_USERNS is missing.