mtalexan
commented
1 year ago Maybe a better analogy: I'd like to be able to do more than just "hole-punch" some host users into the container, I'd like to actually "map" them in.
Open mtalexan opened 1 year ago
mtalexan
commented
1 year ago Maybe a better analogy: I'd like to be able to do more than just "hole-punch" some host users into the container, I'd like to actually "map" them in.
What is the problem you're trying to solve
Almost every container image is constructed with the requirement that the user within the container be the pre-defined one, which is usually UID=1000.
When the user on the host system is not UID=1000 (almost every corporate system, and many personal ones), it is often still necessary for the calling user's UID to be mapped into the container's namespace as UID 1000 so it matches the permissions and settings the container image was created with (presuming
--privilegedis also used).Describe the solution you'd like
Add support for the
--uidmapand--gidmapoptions to thenerdctl runsub-command, matching whatctrandpodmanalready have.Additional context
The
--useroption does NOT do this. That option instead changes the user used within the container namespace rather than allowing mapping to an existing one. At best this can be used with--privilegedto allow setting which host-system UID to use instead of the one the container image was built and designed for.