search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.39k stars 14.34k forks source link

Include support for rootless container and user creation in oci-containers #112902

Open bryanasdev000 opened 3 years ago

bryanasdev000 commented 3 years ago

Describe the bug

In the current mode with podman, we define the specifications of our container and it goes up with the root user, ideally it would have a podman user or even better, one user per container, this would help in abstraction and allow to execute the containers with a service view.

To Reproduce Steps to reproduce the behavior:

  1. Add this to your configuration.nix:
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers = {
    tester = {
      image = "pengbai/docker-supermario";
      ports = [ "8090:8080" ];
    };
  };
  1. nixos-rebuild switch
  2. ps aux | grep mario

Mario container will be running as root.

Expected behavior

Mario container will be running under user podman or podman-tester (podman+container name).

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

Notify maintainers

@adisbladis

Metadata Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.10-zen1, NixOS, 21.03pre268835.8c8731330b5 (Okapi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.10`
 - channels(root): `"nixos-21.03pre268835.8c8731330b5, home-manager"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module: oci-containers
adisbladis commented 3 years ago

While I agree with the issue I don't think it's possible to do this in a way that's also compatible with the docker backend.

bryanasdev000 commented 3 years ago

While I agree with the issue I don't think it's possible to do this in a way that's also compatible with the docker backend.

Perhaps, Docker 20.10 supports rootless mode, despite having some limitations it seems usable. (https://docs.docker.com/engine/security/rootless/)

But would it be a problem to have this only for Podman?

adisbladis commented 3 years ago

But would it be a problem to have this only for Podman?

No, but no other options are only supported by one backend at the moment. Ideally we'd only have options compatible with both.

Perhaps, Docker 20.10 supports rootless mode, despite having some limitations it seems usable.

That's news to me. Great!

bryanasdev000 commented 3 years ago

But would it be a problem to have this only for Podman?

No, but no other options are only supported by one backend at the moment. Ideally we'd only have options compatible with both.

Perhaps, Docker 20.10 supports rootless mode, despite having some limitations it seems usable.

That's news to me. Great!

I will try to run some tests here, are you okay with one user per container?

adisbladis commented 3 years ago

I will try to run some tests here, are you okay with one user per container?

Couldn't we just run them with systemd's dynamicuser feature? It may be that this is not possible because of subuid/subgid requirements.

cc @saschagrunert

bryanasdev000 commented 3 years ago

I will try to run some tests here, are you okay with one user per container?

Couldn't we just run them with systemd's dynamicuser feature? It may be that this is not possible because of subuid/subgid requirements.

cc @saschagrunert

Hmm, thanks for the dose of knowledge, I didn't know about the dynamic user.

However I believe that at first it would not work for containers with volume, correct?

I imagine that we would have many *IDs in the equation.

saschagrunert commented 3 years ago

Hm, maybe this feature could help us here: https://github.com/containers/podman/issues/7778

But would it be a problem to have this only for Podman?

No, but no other options are only supported by one backend at the moment. Ideally we'd only have options compatible with both.

I think this is a blocker for now.

bryanasdev000 commented 3 years ago

Hm, maybe this feature could help us here: containers/podman#7778

But would it be a problem to have this only for Podman?

No, but no other options are only supported by one backend at the moment. Ideally we'd only have options compatible with both.

I think this is a blocker for now.

I didn't understand in this case how it would look if I used two replicas of the same container, would they conflict with the volume's UID?

And I understood about the docker issue, it would be, at first, an exclusive feature of the podman.

I will run some tests with the rootless docker.

bryanasdev000 commented 3 years ago

I think a service account for general management is also a possibility, for example, a podman and docker user.

stale[bot] commented 3 years ago

I marked this as stale due to inactivity. → More info

bryanasdev000 commented 3 years ago

Up.

stale[bot] commented 2 years ago

I marked this as stale due to inactivity. → More info

dzmitry-lahoda commented 2 years ago

some scripts use docker as build system, so it would be fast track for nixification before going nix deep

claes commented 2 years ago

Related: https://github.com/NixOS/nixpkgs/issues/138423

felixsanz commented 1 year ago

it is not possible to just add an option like podmanUser: "1000:100"; and use that User inside systemd's generated service file? the podman run command will be executed by the user specified in that option