boredazfcuk
commented
3 months ago Using the root account for non root operations is bad practice.
Also, this container is designed so that it can be run in multiple instances, writing to multiple user home directories, on the same host, and uses user-switching, to match user UIDs to the destination UIDs of the target file system.
If the rootless container platform is running as UID 1024 (for example) then all containers will be using that ID. This will prevent the container from mapping it UIDs to different accounts on the host. e.g. if I have containers named icloudpd_1, icloudpd_2, icloudpd_3 all running on the same host, they will all be running in the UID 1024 userspace. preventing the containers from writing to a filesystem structure owned by UID 1111, 2222, 3333 etc.
I suggest either disabling rootless mode, or seeing if it's possible to map the UID which is operating inside the container to a matching UID on the host.
Rootless containers (rootless docker, podman, etc.) are nowadays widely used. With rootlesskit, the root user in a container is mapped to a regular host user. Non-root users in the container are mapped to some non-existing uids in the host namespace. So it's not only unnecessary to enforce non-root user/group, but also a hindrance in host-container UID mapping. Allowing root user will be a nice improvement to rootless containers.