--user flag not respected under (rootless) podman

containers / libkrun

A dynamic library providing Virtualization-based process isolation capabilities

Apache License 2.0

898 stars 74 forks source link

--user flag not respected under (rootless) podman #123

Open smithfred opened 1 year ago

smithfred commented 1 year ago

Regardless of the value of --user, pods started with (rootless) podman + krun have a UID/GID of 0 within the container.

krun:

> podman --runtime=krun run --user=1000:1000 --rm -it registry.fedoraproject.org/fedora sh -c 'id -u; id -g'
0
0

Another runtime (crun):

> podman --runtime=crun run --user=1000:1000 --rm -it registry.fedoraproject.org/fedora sh -c 'id -u; id -g'
1000
1000

slp commented 1 year ago

Yes, not all container semantics are supported in libkrun, but this one should be relatively easy to adopt. Could you please explain a bit the use case?

smithfred commented 1 year ago

In general terms, this article covers a lot of the reasons for container images to still use a different user account even in rootless mode.

For me specifically, I was using a 3rd-party containerised application that was configured to run as a non-root user witin the container. Edit: and more generally, 3rd-party containers that have been secured this way (with the expectation that they might be run under a rootful runtime), will break under libkrun otherwise.