search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.15k stars 2.36k forks source link

Rootless podman as root #23702

Open deliciouslytyped opened 1 month ago

deliciouslytyped commented 1 month ago

I would like to run rootless podman as root for various reasons. It would be nice if rootless meant "user agnostic", and not "will run as any user, but will refuse to run as root".

This would be currently useful while I try to do stuff in nested containers.

(I have a similar problem with rootless docker, which also seems to hardcode the assumption that it's not running as root, and will refuse to run as root, saying as much.

One of the difficulties is that podman running as root straight up assumes the global root writable paths for everything, and makes it harder if not outright impossible to set up a more "isolated" environment by doing something like changing the HOME variable. Not all paths can be changed with config variables even.

From a user-facing side this would be nice for consistency, but isolation handling may need additional consideration, so really there are three or four cases (?); rootful root, rootless root with privs, rootless root with privs dropped, and rootless?

rhatdan commented 1 month ago

rootless podman and rootful podman are the same thing, there is no configuration to do, it is just based on the user who runs them. If you want to run non root users within a rootful podman, that is easy.

github-actions[bot] commented 7 hours ago

A friendly reminder that this issue had no activity for 30 days.

deliciouslytyped commented 2 hours ago

Time flies. I've been meaning to get into this in more detail, of course ENOT(M)IME. but one of my configuration "issues", was that when running as root, podman immediately assumed the global system-wide configuration for something, I think it was the ?storage? location, and I checked the code and there was IIRC no way to override this.

Specifically, I think I was trying to run podman in something like unshare -U -r, without doing a whole lot of setup, and of course with this, you want to be doing stuff in "root"'s home directory like rootless podman, not in something like /var/lib/containers, because you aren't real root. Alternatively you configure everything to not use the global directories with the conf files, IIRC this is what has issues, or you go and make a pivot_root / start bind mounting stuff etc....