Skip to content

OSDOCS 16556 Linux User Namespace ID-mapped mount information #100433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2025
Merged

OSDOCS 16556 Linux User Namespace ID-mapped mount information #100433

merged 1 commit into from
Oct 17, 2025

Conversation

@mburke5678
Copy link
Contributor

@mburke5678 mburke5678 commented Oct 13, 2025
edited
Loading

https://issues.redhat.com/browse/OSDOCS-16556

From thread in Slack.

Link to docs preview:
Running pods in Linux user namespaces -- New paragraph 4 and Note.

SME review:

QE review:

  • QE has approved this change.

@mburke5678 mburke5678 added this to the Planned for 4.20 GA milestone Oct 13, 2025
@openshift-ci openshift-ci bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Oct 13, 2025
@mburke5678 mburke5678 force-pushed the node-user-ns-known-issue branch from b0ca24c to f69ac7f Compare October 13, 2025 20:27
@ocpdocs-previewbot
Copy link

ocpdocs-previewbot commented Oct 13, 2025
edited
Loading

🤖 Fri Oct 17 12:39:39 - Prow CI generated the docs preview:

https://100433--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/pods/nodes-pods-user-namespaces.html

@mburke5678 mburke5678 changed the title Linux User Namespace ID-mapped mount inforation Linux User Namespace ID-mapped mount information Oct 13, 2025
@openshift openshift deleted a comment from ocpdocs-vale-bot Oct 14, 2025
@mburke5678
Copy link
Contributor Author

mburke5678 commented Oct 14, 2025

@haircommander PTAL

@haircommander
Copy link
Member

haircommander commented Oct 14, 2025

LGTM

@openshift openshift deleted a comment from ocpdocs-vale-bot Oct 14, 2025
@mburke5678 mburke5678 force-pushed the node-user-ns-known-issue branch from f69ac7f to fc327f4 Compare October 14, 2025 13:45
@mburke5678
Copy link
Contributor Author

mburke5678 commented Oct 15, 2025

@lyman9966 Peter Hunt suggested you could review this PR for us. We are hoping to get this in for 4.20. Thank you!

@openshift openshift deleted a comment from ocpdocs-vale-bot Oct 15, 2025
@lyman9966
Copy link

lyman9966 commented Oct 16, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 16, 2025
@mburke5678 mburke5678 force-pushed the node-user-ns-known-issue branch from fc327f4 to a8198fb Compare October 17, 2025 12:32
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 17, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 17, 2025

New changes are detected. LGTM label has been removed.

@mburke5678 mburke5678 changed the title Linux User Namespace ID-mapped mount information OSDOCS Linux User Namespace ID-mapped mount information Oct 17, 2025
ocpdocs-vale-bot
ocpdocs-vale-bot reviewed Oct 17, 2025
View reviewed changes
nodes/pods/nodes-pods-user-namespaces.adoc
@@ -12,6 +12,13 @@ By default, a container runs in the host user namespace. Running a container in

Running containers in individual user namespaces can mitigate container breakouts and several other vulnerabilities that a compromised container can pose to other pods and the node itself.

When running a pod in an isolated user namespace, the UID/GID inside a pod container no longer matches the UID/GID on the host. In order for file system ownership to work correctly, the Linux kernel uses ID-mapped mounts, which translate user IDs between the container and the host at the virtual file system (VFS) layer.
Copy link
Collaborator

@ocpdocs-vale-bot ocpdocs-vale-bot Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 [error] Vale.Terms: Use 'VFs?' instead of 'VFS'.

@mburke5678 mburke5678 added the merge-review-needed Signifies that the merge review team needs to review this PR label Oct 17, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 17, 2025

@mburke5678: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@mburke5678 mburke5678 changed the title OSDOCS Linux User Namespace ID-mapped mount information OSDOCS 16556 Linux User Namespace ID-mapped mount information Oct 17, 2025
@xenolinux xenolinux added merge-review-in-progress Signifies that the merge review team is reviewing this PR and removed merge-review-needed Signifies that the merge review team needs to review this PR labels Oct 17, 2025
xenolinux
xenolinux reviewed Oct 17, 2025
View reviewed changes
Copy link
Contributor

@xenolinux xenolinux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@xenolinux xenolinux removed the merge-review-in-progress Signifies that the merge review team is reviewing this PR label Oct 17, 2025
@xenolinux xenolinux merged commit 9e83629 into openshift:main Oct 17, 2025
2 checks passed
@xenolinux
Copy link
Contributor

xenolinux commented Oct 17, 2025

/cherrypick enterprise-4.20

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Oct 17, 2025

@xenolinux: new pull request created: #100733

In response to this:

/cherrypick enterprise-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Oct 17, 2025
Merged
@mburke5678 mburke5678 deleted the node-user-ns-known-issue branch October 17, 2025 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xenolinux xenolinux xenolinux left review comments

+1 more reviewer

@ocpdocs-vale-bot ocpdocs-vale-bot ocpdocs-vale-bot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@lyman9966 lyman9966

Labels

branch/enterprise-4.20 size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

OCP 4.20 GA

Development

Successfully merging this pull request may close these issues.

7 participants

@mburke5678 @ocpdocs-previewbot @haircommander @lyman9966 @xenolinux @openshift-cherrypick-robot @ocpdocs-vale-bot