podman play kube (and this quadlet) has no support for uid/gid mapping

[alexlarsson]

When using play kube from a systemd service file (e.g. with quadlet) it seems very useful to be able to set up some particular uid mappings. In particular, --userns=auto which podman run supports seem useful.

[vrothberg]

Do you envision a global setting for all containers, or do you desire fine-grained control over individual containers?

[alexlarsson]

Hmm, good question. Is it even possible to have different uid/gid mappings inside a single pod? I mean, podman pod create supports --userns=auto, what does that mean for the containers in that pod? Are all using that mapping, or is it the default for containers?

[vrothberg]

I never tried that. @giuseppe @rhatdan, do you know?

[rhatdan]

There is one user namespace. Working with containers in different User Namespaces inside the same pod is not currently supported. You would hit issues with conflicting files ownerships ... Shifting file systems might at some point make this possible, but still dealing with interprocess communication would be broken if root in one container is not root in a different container. Bottom line one user namespace per pod.

[alexlarsson]

That sounds about right to me. So we could extend the support of e.g. --userns=auto in pod create to kube play and then pass that from the quadlet generated CLI.

[ygalblum]

podman kube play already supports the --userns argument, accepting the same values as in podman run. What it doesn't support are --uidmap and --gidmap. But, do we need them?

[alexlarsson]

What it doesn't support are --uidmap and --gidmap. But, do we need them?

I would say not, they are just much more painful to use. --userns=auto has options similar to the anyway, except they are in addition to the automatic selection of the rest.

So, just steal the current RemapUsers=auto code from the .container support in quadlet.