Closed BinaryKhaos closed 1 year ago
I think you’ve hit the nail on the head: this requires idmap, but the kernel restricts this to root for the moment. There is talk of relaxing this restriction, but I don’t think this is going to happen any time soon, unfortunately. Until then, root and chown are the only option.
On Mon, Mar 13, 2023 at 09:41 Matthias Dahl @.***> wrote:
I apologize in advance for misusing the issue tracker (which I normal would frown upon myself and also refrain from doing) but I asked this ages ago on the Discord channel and never received any feedback and all my own research did not lead me to any real solution or good information on that subject. :-(
Given the following situation:
- rootless podman
- userns=auto (so $UID is not mapped into the container at all)
- inside container: commands run as non-root user
How can I share directories/files seamlessly (without hefty ACL trickery and group magic that does not scale nor without r(w) access for all nor without chowning the directory)?
An idmap (rbind) mount would be ideal but, if I read fs/namespace.c in the kernel sources correctly, that still requires CAP_SYS_ADMIN which kinda defeats the purpose of it all. I tried somehow getting this to work with (fuse) overlayfs but I got nowhere thus far.
Is there any way to do this at all with rootless podman or is running podman as root the only solution?
podman info:
host: arch: amd64 buildahVersion: 1.29.0 cgroupControllers:
- memory
- pids cgroupManager: systemd cgroupVersion: v2 conmon: package: app-containers/conmon-2.1.6 path: /usr/libexec/podman/conmon version: 'conmon version 2.1.6, commit: v2.1.6' cpuUtilization: idlePercent: 81.48 systemPercent: 5.03 userPercent: 13.49 cpus: 8 distribution: distribution: gentoo version: "2.13" eventLogger: journald hostname: TARDIS idMappings: gidmap:
- container_id: 0 host_id: 1000 size: 1
- container_id: 1 host_id: 100000 size: 65536 uidmap:
- container_id: 0 host_id: 1000 size: 1
- container_id: 1 host_id: 100000 size: 65536 kernel: 6.2.2-230307-r1 linkmode: dynamic logDriver: journald memFree: 15840677888 memTotal: 33596272640 networkBackend: cni ociRuntime: name: crun package: app-containers/crun-1.8.1 path: /usr/bin/crun version: |- crun version 1.8.1 commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30 rundir: /run/user/1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL os: linux remoteSocket: path: /run/user/1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: app-containers/slirp4netns-1.2.0 version: |- slirp4netns version 1.2.0 commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383 libslirp: 4.7.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.4 swapFree: 0 swapTotal: 0 uptime: 6h 52m 38.00s (Approximately 0.25 days) plugins: authorization: null log:
- k8s-file
- none
- passthrough
- journald network:
- bridge
- macvlan
- ipvlan volume:
- local registries: docker.io: Blocked: false Insecure: false Location: docker.io MirrorByDigestOnly: false Mirrors: null Prefix: docker.io PullFromMirror: "" localhost:5000: Blocked: false Insecure: true Location: localhost:5000 MirrorByDigestOnly: false Mirrors: null Prefix: localhost:5000 PullFromMirror: "" search:
- docker.io
- quay.io
- registry.fedoraproject.org store: configFile: /home/matthew/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: sys-fs/fuse-overlayfs-1.10 Version: |- fusermount3 version: 3.14.0 fuse-overlayfs: version 1.10 FUSE library version 3.14.0 using FUSE kernel interface version 7.38 graphRoot: /home/matthew/.local/share/containers/storage graphRootAllocated: 1978033311744 graphRootUsed: 759315042304 graphStatus: Backing Filesystem: extfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "false" imageCopyTmpDir: /var/tmp imageStore: number: 1 runRoot: /run/user/1000/containers transientStore: false volumePath: /home/matthew/.local/share/containers/storage/volumes version: APIVersion: 4.4.1 Built: 1676880362 BuiltTime: Mon Feb 20 09:06:02 2023 GitCommit: 34e8f3933242f2e566bbbbf343cf69b7d506c1cf GoVersion: go1.20.1 Os: linux OsArch: linux/amd64 Version: 4.4.1
— Reply to this email directly, view it on GitHub https://github.com/containers/podman/issues/17753, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB3AOCAXHRCNZQ2AH3TBM3TW34PXPANCNFSM6AAAAAAVZC6OEE . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Sigh. Thanks. I was afraid there was not much else to do-- except for some hefty ACL trickery and such. Would have been nice if at least there was a way to get this working with overlayfs or some other trick.
Guess I will have to completely re-think my plans and come up with some alternatives. Running rootful podman as non-root user via sudo is not very appealing to me since it comes with its own share of problems and possible securities issues that was trying to avoid.
I apologize in advance for misusing the issue tracker (which I normal would frown upon myself and also refrain from doing) but I asked this ages ago on the Discord channel and never received any feedback and all my own research did not lead me to any real solution or good information on that subject. :-(
Given the following situation:
How can I share directories/files seamlessly (without hefty ACL trickery and group magic that does not scale nor without r(w) access for all nor without chowning the directory)?
An idmap (rbind) mount would be ideal but, if I read fs/namespace.c in the kernel sources correctly, that still requires CAP_SYS_ADMIN which kinda defeats the purpose of it all. I tried somehow getting this to work with (fuse) overlayfs but I got nowhere thus far.
Is there any way to do this at all with rootless podman or is running podman as root the only solution?
podman info: