search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.27k stars 2.37k forks source link

Podman Kube Play with --userns=auto - How to chown volumes? #22853

Open giuseppe opened 4 months ago

giuseppe commented 4 months ago

Discussed in https://github.com/containers/podman/discussions/22848

Originally posted by **MadSpindel** May 30, 2024 I'm trying to understand how I can use rootfull containers with --userns=auto. I have a Kubernetes YAML spec generated with podman kube generate. The problem is, with the hostUsers set to false, the HUSER could change UID and then it will not be possible for the pod to change files in the volume mount. How can I update the Kubernetes YAML spec to tell Podman to chown (change owner) of the volume to new UID created with hostUsers: false? My current Kubernetes YAML spec: ```yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: "2024-05-15T07:29:14Z" labels: app: dns-server-pod name: dns-server-pod spec: hostUsers: false containers: - args: - /etc/dns env: - name: DNS_SERVER_DOMAIN value: dns-server image: docker.io/technitium/dns-server:latest name: dns-server ports: - containerPort: 53 hostPort: 53 - containerPort: 5380 hostPort: 5380 - containerPort: 53 hostPort: 53 protocol: UDP volumeMounts: - mountPath: /etc/dns name: technitium_config-pvc volumes: - name: technitium_config-pvc persistentVolumeClaim: claimName: technitium_config ```
giuseppe commented 4 months ago

to follow what Kubernetes does upstream, then we need to enforce idmap on each volume when hostUsers: false is used

Luap99 commented 4 months ago

But idmap only works as root with the right filesystem's? So what should podman do if idmap is not available?

giuseppe commented 4 months ago

yes idmap works only with root.

Not sure how this should be handled. Is it better to not follow what Kubernetes does in this case?

Maybe we could expect idmap to be an explicit option for the volume

Luap99 commented 4 months ago

Not sure but it would be confusing to have different behaviour depending on system and root vs rootless.

Setting mount options explicitly should already work AFAIK although not sure how the syntax looks today. Also for my understanding is hostUsers: false mapped to --userns=auto?

MadSpindel commented 3 months ago

From my perspective, as a simple user, I think it probably should work like Kubernetes if the right conditions are met. The criterias should be defined in the documentation. Then it's clear for everyone. I don't think it need to support all the different edge cases.