Add a uid/gid flag to spawn a container with non-zero uid/gid. #28
Conversation
Doesn't look like the |
Yes: JuliaLang/Pkg.jl#2500. You should have a separate |
maleadt
force-pushed
the
non_root
branch
2 times, most recently
from
dab6d48 to
23a479a
Compare
|
Doesn't seem to help here. |
|
Maybe this is relevant? |
|
Ah, yes, so that's setting a global preferences. Seems pretty hacky, at this point we could just run |
maleadt
force-pushed
the
non_root
branch
2 times, most recently
from
eacc0dd to
c9f9a4c
Compare
|
OK, only legit failures now. |
|
OK, all done. How do we want to proceed here? Merge with failures, rebuild UserNSSandbox_jll, and re-run CI to verify? |
|
@staticfloat, re. #24 (comment), I take it you're opposed to this? I don't see an alternative though, |
Actually, I didn't really think that the patch to |
I thought having a single user helped with mapping permissions 🤔 |
|
Indeed it does, but this nicely dodges the problem by keeping things as a single-user system, it just allows using a UID that is nonzero. I think we will want to have the BB sandbox default to using the same numeric ID as the originating user, which will even allow us to avoid the |
It doesn't preserve permissions, resulting in 0700 (instead of 0755) dirs in the rootfs. This breaks in combination with non-0 uid/gid.
|
I'm quite happy with this, with the one exception that using I guess we can work towards that in the future, in the |
Turns out
tarbehaves differently whenid==0-- habitat-sh/builder#365 (comment), which doesn't work in the single-user containers we spawn (breaking BinaryProvider) -- so add an option to create a user map that uses a different uid/gid.Fixes #24