Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rootless: optional support for generating config with subuid map #1692

Closed

Conversation

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Jan 15, 2018

Signed-off-by: Akihiro Suda suda.akihiro@lab.ntt.co.jp

runc spec --rootless --rootless-subuid generates a config with multiple uidMappings and gidMappings. (See #1529)

@AkihiroSuda AkihiroSuda force-pushed the AkihiroSuda:rootless-map-subuid branch 2 times, most recently from 298d6cd to 5774f21 Jan 15, 2018
@AkihiroSuda AkihiroSuda force-pushed the AkihiroSuda:rootless-map-subuid branch from 5774f21 to 2fce970 Jan 16, 2018
@AkihiroSuda
Copy link
Member Author

@AkihiroSuda AkihiroSuda commented Jan 16, 2018

updated to support execution within userns

@AkihiroSuda AkihiroSuda force-pushed the AkihiroSuda:rootless-map-subuid branch from 2fce970 to be7177e Jan 16, 2018
@cyphar
Copy link
Member

@cyphar cyphar commented Jan 16, 2018

I'm not a huge fan of this, though I might still be convinced. runc spec --rootless was already a bit too much in terms of trying to provide more configuration with regards to config generation (something users should do with oci-runtime-tools). But since this sources information from /etc/subuid it might be a different story.

However, there is another problem, which is that in many cases users shouldn't be mapping all of their allocated subuids/subgids for each container. They should be using independent sets of uids and gids (this is something that Docker gets very, very wrong -- though there are technical reasons why they made the compromise -- but we shouldn't be repeating that mistake). And example of this done more correctly is rkt or LXC. With that in mind, I'm not sure that you could automatically decide what the best sub-range is of a user's /etc/sub{uid,gid} sets...

@cyphar cyphar self-assigned this Feb 4, 2018
@cyphar cyphar assigned cyphar and unassigned cyphar Feb 23, 2018
@AkihiroSuda
Copy link
Member Author

@AkihiroSuda AkihiroSuda commented Feb 26, 2018

How about adding UID/GID range fields to RootlessOpts?
If empty entire spaces will be used.

cc @jessfraz

@jessfraz
Copy link
Contributor

@jessfraz jessfraz commented Feb 26, 2018

I'm not sure the best approach here to be honest, but not making the same mistakes as docker sounds good haha

@cyphar
Copy link
Member

@cyphar cyphar commented Feb 26, 2018

Just to note that LXC also does the right thing here -- they allocate sub-sections of the available /etc/sub{uid,gid} ranges. But I'm not sure whether they deal with collisions by storing stuff on-disk -- which would be nice to avoid. I'll ping @brauner elsewhere and see how they do this or if they have any tips.

spec.Linux.GIDMappings = append(spec.Linux.GIDMappings,
specs.LinuxIDMapping{
HostID: uint32(subgid.SubID),
ContainerID: uint32(uNextContainerID),

This comment has been minimized.

@AkihiroSuda

AkihiroSuda Feb 27, 2018
Author Member

typo: will fix immediately

This comment has been minimized.

@AkihiroSuda

AkihiroSuda Feb 27, 2018
Author Member

done (cc @jessfraz )

@AkihiroSuda AkihiroSuda force-pushed the AkihiroSuda:rootless-map-subuid branch 2 times, most recently from e835e87 to aa80caf Feb 27, 2018
@AkihiroSuda AkihiroSuda force-pushed the AkihiroSuda:rootless-map-subuid branch from aa80caf to 9eecb7d Mar 19, 2018
@AkihiroSuda AkihiroSuda force-pushed the AkihiroSuda:rootless-map-subuid branch from 9eecb7d to 1e44f9e May 30, 2018
@AkihiroSuda AkihiroSuda force-pushed the AkihiroSuda:rootless-map-subuid branch 2 times, most recently from c4ab5c9 to b3069aa Jun 9, 2018
@AkihiroSuda
Copy link
Member Author

@AkihiroSuda AkihiroSuda commented Jun 9, 2018

Removed CLI and added godoc ,as this seems controversial, although already used in img and rootless BuildKit.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
@AkihiroSuda
Copy link
Member Author

@AkihiroSuda AkihiroSuda commented Jun 15, 2018

rebased

@AkihiroSuda AkihiroSuda force-pushed the AkihiroSuda:rootless-map-subuid branch from b3069aa to 898ae8c Jun 15, 2018
@AkihiroSuda
Copy link
Member Author

@AkihiroSuda AkihiroSuda commented Jun 27, 2018

Any thought?

//
// When running in userns, MapAllSubIDs is ignored and
// /proc/self/[ug]id_map entries are used.
MapAllSubIDs bool

This comment has been minimized.

@AkihiroSuda

AkihiroSuda Jun 28, 2018
Author Member

I'm going to add more options such as KeepNetworkNamespace as well after this PR gets merged.

//
// MapAllSubIDs requires newuidmap(1) and newgidmap(1) with suid bit.
//
// When running in userns, MapAllSubIDs is ignored and

This comment has been minimized.

@AkihiroSuda

AkihiroSuda Jul 4, 2018
Author Member

As this is very confusing, I'm temporary closing this PR.

Please also see #1837

@AkihiroSuda AkihiroSuda closed this Jul 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.