[CI:DOCS] BZ1860126 - Fix userns defaults in run man page #7075
Conversation
openshift-ci-robot
added
the
approved
|
@giuseppe @mheon, please verify my changes are in line. That's what I could gronk from the code, but the default userns value setting is not easily parseable. Also I did not test the change concerning the USER in the containerfile, but believe that is the case. Please holler if not, and perhaps we/I should add a test to verify? I'm not sure we have one atm. |
docs/source/markdown/podman-run.1.md
Outdated
There was a problem hiding this comment.
Maybe this should read "Without this argument the command will be run as root on the host unless a user was specified by the container image or the --user option"
There was a problem hiding this comment.
Not root on the host, since it could be rootless or running in a user namespace. It will also run as the User of the image. So the wording of this should be
Without this argument the command will run as the user specified in the container image. Note that this user often defaults to root. The actual UID of the process running in the container is based on the User namespace the container is running in. By default if you are running a rootful Podman, the container will run as the hosts root. If you are running the container as a rootless user, the root inside of the container is actually the users UID.
There was a problem hiding this comment.
I think it's important to get the USER/--user option thought in. So I've tweaked the comment from @rhatdan to:
Without this argument, the command will run as the user specified in the container image. Unless
overridden by a `USER` command in the Containerfile or by a value passed to this option, this
user generally defaults to root. The actual UID of the process running in the container is based on
the User namespace the container is running in. By default, if you are running a rootful Podman,
the container will run using the UID of the host's root. If you are running the container as a
rootless user, by default the UID used by root inside of the container is the rootless user's UID.
docs/source/markdown/podman-run.1.md
Outdated
There was a problem hiding this comment.
How about running as root vs non-root? Is this default the same for non-root too? I thought that running as non-root creates a new userns.
There was a problem hiding this comment.
This is difficult to explain.
Root inside of the rootless container is your UID, so theoretically it has the same privs as a process run by your user.
Bottom line all containers will run within the same user namespace, and you will gain no separation advantage between containers launched by the same user. All of the processes in containers will run within the same range of UIDs that other containers you launch run with.
$ podman run --userns=host alpine cat /proc/self/uid_map
0 3267 1
1 100000 65536
$ podman run --userns=host alpine cat /proc/self/uid_map
0 3267 1
1 100000 65536
There was a problem hiding this comment.
This is the default, not private
Thanks, I was looking at the wrong field with a default "Private" value (userns mode) when I change this. I've changed the default to host.
docs/source/markdown/podman-run.1.md
Outdated
There was a problem hiding this comment.
the last sentence is not correct, An empty value ("") means user namespaces are disabled unless an explicit mapping is set with --uidmapping and --gidmapping
There was a problem hiding this comment.
Thanks @giuseppe . I've added: unless an explicit mapping is set with --uidmapping and --gidmapping
to the end of that sentence as suggested.
|
LGTM |
|
btw I can't see any other option but |
|
You should update the version of podman you are using on fedora 32. |
docs/source/markdown/podman-run.1.md
Outdated
There was a problem hiding this comment.
I'm going to change and re-push a slightly amended second sentence:
| Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with --uidmapping and --gidmapping. | |
| Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the `--uidmapping` and `--gidmapping` options. |
|
All green and I think I've addressed all comments. @mheon, could you do a final review and push if it LGTY please? |
docs/source/markdown/podman-run.1.md
Outdated
There was a problem hiding this comment.
I don't know if this paragraph makes much sense. We shouldn't be focusing on the user the container is run as, but that root in the container is or is not root on the host.
There was a problem hiding this comment.
This whole paragraph started from a question ni the BZ: "Namely should lack of --user option result in container running as specified by USER in Dockerfile? This is what I observe.'
I started the first bit of the USER, then Dan suggested the bit about the UID too and I tweaked it slightly. I'm happy to make it anything that folks see fit. Would it work if I just remove the last bit talking about the UID?
Without this argument, the command will run as the user specified in the
container image. Unless overridden by a `USER` command in the
Containerfile or by a value passed to this option, this user generally
defaults to root.
There was a problem hiding this comment.
This sounds like two separate issues.
We need to beef up the documentation of --user to detail what happens there; and we need to improve the documentation here to specify what happens when user namespaces are involved. Intermingling the two here seems nonsensical from a reader's perspective, especially given that user namespaces do not just alter the mapping of the user the container is run as, but all users in the container.
There was a problem hiding this comment.
That is what I've attempted to do here. Apparently I've missed the mark. Please give me suggested changes as I'm not sure what to change at this point.
There was a problem hiding this comment.
I think we need to separate the bit about user/Dockerfile USER and put it in the description of the --user flag. This section should focus entirely on how a userns will result in users inside the container having different IDs from users outside the container, how this depends on the exact UID mappings of the user namespace, and how user namespaces are default for rootless and optional for root. Will write more tomorrow.
There was a problem hiding this comment.
@mheon, this is currently under the --user option, not the --userns option. Did you get a chance to tickle the keyboard with your thoughts?
There was a problem hiding this comment.
Having this bit under --user and the rest under --userns does satisfy my request.
Still, the documentation here seems overly focused on root. Should probably be more generic - "When a user namespace is not in use, the UID and GID used within the container and on the host will match. When user namespaces are in use, however, the UID and GID in the container may correspond to another UID and GID on the host. In rootless containers, for example, a user namespace is always used, and root in the container will by default correspond to the UID and GID of the container invoking Podman."
There was a problem hiding this comment.
Matt, I've removed this:
When a user namespace is not in use, the UID and GID used within the container and on the host will match.
When user namespaces are in use, however, the UID and GID in the container may correspond to another
UID and GID on the host. In rootless containers, for example, a user namespace is always used, and root in
the container will by default correspond to the UID and GID of the container invoking Podman.
From the original paragraph. I then took what you have above and made it a new second paragraph under user, BUT, I changed the second from last word from container to user
PTAL
Addresses the multiple "default" userns values found in the podman-run(1) man page: http://docs.podman.io/en/latest/markdown/podman-run.1.html. This in response to: https://bugzilla.redhat.com/show_bug.cgi?id=1860126 which this PR wil fix. Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: TomSweeneyRedHat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM, thanks! |
|
@TomSweeneyRedHat Great job. |
github-actions
bot
added
the
locked - please file new issue/PR
7 participants
Addresses the multiple "default" userns values found
in the podman-run(1) man page: http://docs.podman.io/en/latest/markdown/podman-run.1.html.
This in response to: https://bugzilla.redhat.com/show_bug.cgi?id=1860126
which this PR wil fix.
Signed-off-by: TomSweeneyRedHat tsweeney@redhat.com