Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

userns: skip the nobody user #1473

Merged
merged 1 commit into from
Jan 17, 2023
Merged

userns: skip the nobody user #1473

merged 1 commit into from
Jan 17, 2023

Conversation

giuseppe
Copy link
Member

improve the heuristic to detect the user namespace size needed to run an image. Hardcode the nobody user value to 65534, which is the value used by the kernel, and ignore this value when parsing /etc/passwd and /etc/group.

Closes: #1472

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

@giuseppe
userns: skip the nobody user
b876a48 
improve the heuristic to detect the user namespace size needed to run
an image.  Hardcode the nobody user value to 65534, which is the value
used by the kernel, and ignore this value when parsing /etc/passwd and
/etc/group.

Closes: containers#1472

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe mentioned this pull request Jan 16, 2023
Closed
vrothberg
vrothberg approved these changes Jan 17, 2023
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Luap99
Luap99 reviewed Jan 17, 2023
View reviewed changes
userns.go
Comment on lines 102 to 104
if u.Name == "nobody" {
continue
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we skip this check here now

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have left it just in case some image defines it to have a value different than the default 65534

userns.go
Comment on lines 117 to 119
if g.Name == "nobody" {
continue
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here

@robbmanes
Copy link

Verified working for me in the below test..

Before:

$ podman run --name test1 --userns=auto docker.io/rapidfort/mariadb:10.10

$ podman run --name test2 --userns=auto docker.io/rapidfort/mariadb:10.10
Error: error creating container storage: could not find enough available IDs

$ podman inspect test1 | jq '.[].HostConfig.IDMappings'
{
  "UidMap": [
    "0:1:65534"
  ],
  "GidMap": [
    "0:1:65534"
  ]
}

After:

$ ./bin/podman run --name test1 --userns=auto docker.io/rapidfort/mariadb:10.10

$ ./bin/podman run --name test2 --userns=auto docker.io/rapidfort/mariadb:10.10

$ ./bin/podman inspect test1 | jq '.[].HostConfig.IDMappings'
{
  "UidMap": [
    "0:1:1024"
  ],
  "GidMap": [
    "0:1:1024"
  ]
}

$ ./bin/podman inspect test2 | jq '.[].HostConfig.IDMappings'
{
  "UidMap": [
    "0:1025:1024"
  ],
  "GidMap": [
    "0:1025:1024"
  ]

@rhatdan
Copy link
Member

rhatdan commented Jan 17, 2023

LGTM

@rhatdan rhatdan merged commit b9094c6 into containers:main Jan 17, 2023
@jonasdemoor jonasdemoor mentioned this pull request Aug 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Luap99 Luap99 Luap99 left review comments

@vrothberg vrothberg vrothberg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: "podman run" with "--userns=auto" fills all available user namespaces for a specific container image
5 participants
@giuseppe @robbmanes @rhatdan @vrothberg @Luap99