You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The device instead just ends up with the uid/gid as found under the host's /devfor the reasons explained here. Obviously you can't chown or chmod the device when it's bind-mounted from the host, so instead the uid/gid/fileMode fields are just ignored.
In theory, I suspect it's possible for runc to actually support configuring these fields when a userns is enabled. The basic idea being:
Detect that device uids/gids are being specified along with a userns
Before any namespaces are entered, mknod the devices somewhere under the container's runtime state directory. As long as runc itself has the ability to call mknod (i.e. this isn't a rootless runc invocation or setting up a nested userns), then it can set the uid/gid/fileMode as needed
Once inside the container, instead of bind-mounting from the host's /dev, bind-mount the devices created in the above step into the container
If the above fix would indeed work, I think it's worth doing. While there are certainly ways for callers of runc to workaround this issue themselves, they all involve significant compromises (i.e. change permissions under the host's /dev or map uids/gids into the userns that otherwise shouldn't be needed) and/or significant complexity that it seems runc itself is meant to handle.
@cyphar@crosbymichael@mrunalp and others, please let me know what your thoughts are on the feasibility of the suggested fix. It's purely hypothetical at the moment so I certainly could be missing something.
The text was updated successfully, but these errors were encountered:
sipsma
changed the title
UID/GID fields of devices are ignored when using user namespcaes
UID/GID fields of devices are ignored when using user namespaces
Aug 28, 2019
When user-namespaces are enabled for a container, runc appears to ignore any UID/GID settings provided for a device in that container's configuration.
The device instead just ends up with the uid/gid as found under the host's
/dev
for the reasons explained here. Obviously you can'tchown
orchmod
the device when it's bind-mounted from the host, so instead the uid/gid/fileMode fields are just ignored.In theory, I suspect it's possible for runc to actually support configuring these fields when a userns is enabled. The basic idea being:
mknod
the devices somewhere under the container's runtime state directory. As long as runc itself has the ability to callmknod
(i.e. this isn't a rootless runc invocation or setting up a nested userns), then it can set the uid/gid/fileMode as needed/dev
, bind-mount the devices created in the above step into the containerIf the above fix would indeed work, I think it's worth doing. While there are certainly ways for callers of runc to workaround this issue themselves, they all involve significant compromises (i.e. change permissions under the host's
/dev
or map uids/gids into the userns that otherwise shouldn't be needed) and/or significant complexity that it seems runc itself is meant to handle.@cyphar @crosbymichael @mrunalp and others, please let me know what your thoughts are on the feasibility of the suggested fix. It's purely hypothetical at the moment so I certainly could be missing something.
The text was updated successfully, but these errors were encountered: