New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rootless: optional support for generating config with subuid map #1692

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
3 participants
@AkihiroSuda
Contributor

AkihiroSuda commented Jan 15, 2018

Signed-off-by: Akihiro Suda suda.akihiro@lab.ntt.co.jp

runc spec --rootless --rootless-subuid generates a config with multiple uidMappings and gidMappings. (See #1529)

@AkihiroSuda

This comment has been minimized.

Contributor

AkihiroSuda commented Jan 16, 2018

updated to support execution within userns

@cyphar

This comment has been minimized.

Member

cyphar commented Jan 16, 2018

I'm not a huge fan of this, though I might still be convinced. runc spec --rootless was already a bit too much in terms of trying to provide more configuration with regards to config generation (something users should do with oci-runtime-tools). But since this sources information from /etc/subuid it might be a different story.

However, there is another problem, which is that in many cases users shouldn't be mapping all of their allocated subuids/subgids for each container. They should be using independent sets of uids and gids (this is something that Docker gets very, very wrong -- though there are technical reasons why they made the compromise -- but we shouldn't be repeating that mistake). And example of this done more correctly is rkt or LXC. With that in mind, I'm not sure that you could automatically decide what the best sub-range is of a user's /etc/sub{uid,gid} sets...

@cyphar cyphar self-assigned this Feb 4, 2018

@cyphar cyphar assigned cyphar and unassigned cyphar Feb 23, 2018

@AkihiroSuda

This comment has been minimized.

Contributor

AkihiroSuda commented Feb 26, 2018

How about adding UID/GID range fields to RootlessOpts?
If empty entire spaces will be used.

cc @jessfraz

@jessfraz

This comment has been minimized.

Contributor

jessfraz commented Feb 26, 2018

I'm not sure the best approach here to be honest, but not making the same mistakes as docker sounds good haha

@cyphar

This comment has been minimized.

Member

cyphar commented Feb 26, 2018

Just to note that LXC also does the right thing here -- they allocate sub-sections of the available /etc/sub{uid,gid} ranges. But I'm not sure whether they deal with collisions by storing stuff on-disk -- which would be nice to avoid. I'll ping @brauner elsewhere and see how they do this or if they have any tips.

spec.Linux.GIDMappings = append(spec.Linux.GIDMappings,
specs.LinuxIDMapping{
HostID: uint32(subgid.SubID),
ContainerID: uint32(uNextContainerID),

This comment has been minimized.

@AkihiroSuda

AkihiroSuda Feb 27, 2018

Contributor

typo: will fix immediately

This comment has been minimized.

@AkihiroSuda

AkihiroSuda Feb 27, 2018

Contributor

done (cc @jessfraz )

@AkihiroSuda

This comment has been minimized.

Contributor

AkihiroSuda commented Jun 9, 2018

Removed CLI and added godoc ,as this seems controversial, although already used in img and rootless BuildKit.

rootless: optional support for generating config with subuid map
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
@AkihiroSuda

This comment has been minimized.

Contributor

AkihiroSuda commented Jun 15, 2018

rebased

@AkihiroSuda

This comment has been minimized.

Contributor

AkihiroSuda commented Jun 27, 2018

Any thought?

//
// When running in userns, MapAllSubIDs is ignored and
// /proc/self/[ug]id_map entries are used.
MapAllSubIDs bool

This comment has been minimized.

@AkihiroSuda

AkihiroSuda Jun 28, 2018

Contributor

I'm going to add more options such as KeepNetworkNamespace as well after this PR gets merged.

//
// MapAllSubIDs requires newuidmap(1) and newgidmap(1) with suid bit.
//
// When running in userns, MapAllSubIDs is ignored and

This comment has been minimized.

@AkihiroSuda

AkihiroSuda Jul 4, 2018

Contributor

As this is very confusing, I'm temporary closing this PR.

Please also see #1837

@AkihiroSuda AkihiroSuda closed this Jul 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment