Closed r10r closed 3 years ago
There is a nice writeup for podman explaining the UID/GID limit https://www.redhat.com/sysadmin/rootless-podman
We just use etc/passwd
provided by busybox buildroot upstream. Here is the commit where they chose 65534
: https://git.busybox.net/buildroot/commit/?id=9c67af2c524ad2b6585af2f5e43f76dacd7cc109.
Running containers via a rootless daemon is still very new and rough, so I don't think it is something we should use to patch upstream source.
Agreed -- this was definitely an intentional choice by busybox/buildroot upstream. I'd suggest the best fix is probably modifying your host's configuration to provide a larger range for your rootless containers.
@yosifkit Thanks for the pointer.
I'd suggest the best fix is probably modifying your host's configuration to provide a larger range for your rootless containers.
@tianon You're right - I tried - but until now I didn't succeed :(
But maybe it's interesting that other images just work fine, because they either use /
or a non-existing directory as home for nobody.
docker.io/library/archlinux:latest: nobody:x:65534:65534:Nobody:/:/usr/bin/nologin
docker.io/library/alpine:latest: nobody:x:65534:65534:nobody:/:/sbin/nologin
docker.io/library/ubuntu:latest: nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
So it seems that the issue will come up in all those images if the nobody
user or group ever has ownership of a file or folder.
Right. But I really wonder why an image should contain any files with nobody
as owner at all ?
I'm quite new to rootless containers, so maybe someone more experienced should take a look at this.
@thisguy726 Why did you reference this issue ?
Hi there,
I'm playing around with rootless
buildah
to build images. Buildah is running itself in a rootless container with a limited set of uids/gids (65536) available. While building alpine images works fine I got an error when trying to build a simple container based ondocker.io/library/busybox:latest
.Running
tar --numeric-owner -tvf busybox.tar.xz
on https://github.com/docker-library/busybox/raw/2bcc4bf56c2a4594aa31feb8b42d5eab76d168bb/stable/uclibc/busybox.tar.xz reveals that/home
has indeed owner/group set to65534/65534
Is there a reason for that ?