The ilab command is wrapped by an ilab script which launches ilab inside a podman container.
Issue
Since the ilab container image is pulled during the bootc image build process using the root user, the image is not accessible to non-root users.
Solution
We run the container as sudo in order to be able to access the root container storage. But for security reasons we map root UID 0 inside the container to the current user's UID (and all the other subuids to the user's /etc/subuid range) so that we're effectively running the container as the current user.
Additional changes
Changed "--env" "HOME" to "--env" "HOME=$HOME" to pass the HOME environment variable from the current shell and not from the sudo environment.
Future work
In the future, we will run podman as the current user, once we figure a reasonable way for the current user to access the root's user container storage
Solves RHELAI-740
Background
The ilab command is wrapped by an
ilab
script which launches ilab inside a podman container.Issue
Since the ilab container image is pulled during the bootc image build process using the root user, the image is not accessible to non-root users.
Solution
We run the container as sudo in order to be able to access the root container storage. But for security reasons we map root UID 0 inside the container to the current user's UID (and all the other subuids to the user's /etc/subuid range) so that we're effectively running the container as the current user.
Additional changes
Changed
"--env" "HOME"
to"--env" "HOME=$HOME"
to pass the HOME environment variable from the current shell and not from the sudo environment.Future work
In the future, we will run podman as the current user, once we figure a reasonable way for the current user to access the root's user container storage