storage: Document force_mask UID 0 mapping requirement#742
storage: Document force_mask UID 0 mapping requirement#742ipilcher wants to merge 2 commits intocontainers:mainfrom
Conversation
Signed-off-by: Ian Pilcher <arequipeno@gmail.com>
|
And more importantly, thanks for the PR @ipilcher ! |
|
I seem to have bollixed everything up by hitting GitHub's "Commit suggestion" button. EDIT: I think I managed to fix it. |
Signed-off-by: Ian Pilcher <arequipeno@gmail.com> Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
ipilcher
force-pushed
the
force_mask_uidmap_doc
branch
from
011492b to
526cbe9
Compare
| "force_mask" permissions. | ||
|
|
||
| - When force_mask is used in rootless mode with explicit UID mappings (e.g., `--uidmap`), the container's UID 0 must map to the host user's UID. fuse-overlayfs (see "mount_program" below) creates a FUSE mount that that is only accessible to the user who created it (the user running podman in this case). If UID 0 within the container is mapped to a different host UID (such as a subordinate UID from /etc/subuid), the OCI runtime (which runs in the user namespace) will not be able to access the FUSE mount. | ||
| - When force_mask is used in rootless mode with explicit UID mappings (e.g., `--uidmap`), the container's UID 0 must map to the host user's UID. The fuse-overlayfs (see "mount_program" below) storage driver creates a FUSE mount accessible only to the user who created it (the user running podman in this case). If UID 0 within the container is mapped to a different host UID (such as a subordinate UID from /etc/subuid), the OCI runtime (which runs in the user namespace) will not be able to access the FUSE mount. |
There was a problem hiding this comment.
fuse-overlayfs is a filesystem implementation, not a “storage driver” in the c/storage sense (overlay/vfs/btrfs). Maybe “filesystem”? “process”? Or revert to the previous version, which can be ambiguous about what exactly the thing is?
giuseppe
left a comment
giuseppe
left a comment
There was a problem hiding this comment.
The fuse-overlayfs process doesn't run inside the nested user namespace.
What error are you seeing?
I see an error if I map UID 0 to a subuid. If I map UID 0 to the UID of the user running podman, it works. |
|
Is it enough that the user is mapped into the user namespace (any id, not necessarily root)? |
It doesn't appear to be. |
|
what podman version are you using? Your command works on my Fedora Rawhide: I think we should treat this as an issue, and figure out why it doesn't work for you instead of documenting it |
I am running
Interesting!
I have created #764. |
|
Someone needs to look at it, so far nobody got to it. Are you interested to work on it? |
I don't understand what you're asking. I'm more than happy to help investigate what is going on, but I don't have the knowledge of the code base to figure it out on my own. |
|
sorry for not being clear. The point I was trying to make is that there is no promise with an open source project that someone is going to look at it quickly. It is an issue because we should expect it to work and not just document it is broken (as this PR does), so I think we should close this PR and wait that someone is going to dig into it. |
|
Turns out this was a bug/limitation in |
4 participants
force_maskdoesn't work in rootless mode when the container's UID 0 is mapped to something other than the host UID of the user running the container. This PR adds a note about this requirement tocontainers-storage.conf.5.md.