-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sharing (user owned) directory/files between rootless podman (userns=auto) and host #17753
Comments
I think you’ve hit the nail on the head: this requires idmap, but the
kernel restricts this to root for the moment. There is talk of relaxing
this restriction, but I don’t think this is going to happen any time soon,
unfortunately. Until then, root and chown are the only option.
…On Mon, Mar 13, 2023 at 09:41 Matthias Dahl ***@***.***> wrote:
I apologize in advance for misusing the issue tracker (which I normal
would frown upon myself and also refrain from doing) but I asked this ages
ago on the Discord channel and never received any feedback and all my own
research did not lead me to any real solution or good information on that
subject. :-(
Given the following situation:
- rootless podman
- userns=auto (so $UID is not mapped into the container at all)
- inside container: commands run as non-root user
How can I share directories/files seamlessly (without hefty ACL trickery
and group magic that does not scale nor without r(w) access for all nor
without chowning the directory)?
An idmap (rbind) mount would be ideal but, if I read fs/namespace.c in the
kernel sources correctly, that still requires CAP_SYS_ADMIN which kinda
defeats the purpose of it all. I tried somehow getting this to work with
(fuse) overlayfs but I got nowhere thus far.
Is there any way to do this at all with rootless podman or is running
podman as root the only solution?
podman info:
host:
arch: amd64
buildahVersion: 1.29.0
cgroupControllers:
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: app-containers/conmon-2.1.6
path: /usr/libexec/podman/conmon
version: 'conmon version 2.1.6, commit: v2.1.6'
cpuUtilization:
idlePercent: 81.48
systemPercent: 5.03
userPercent: 13.49
cpus: 8
distribution:
distribution: gentoo
version: "2.13"
eventLogger: journald
hostname: TARDIS
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 6.2.2-230307-r1
linkmode: dynamic
logDriver: journald
memFree: 15840677888
memTotal: 33596272640
networkBackend: cni
ociRuntime:
name: crun
package: app-containers/crun-1.8.1
path: /usr/bin/crun
version: |-
crun version 1.8.1
commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: app-containers/slirp4netns-1.2.0
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.4
swapFree: 0
swapTotal: 0
uptime: 6h 52m 38.00s (Approximately 0.25 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
docker.io:
Blocked: false
Insecure: false
Location: docker.io
MirrorByDigestOnly: false
Mirrors: null
Prefix: docker.io
PullFromMirror: ""
localhost:5000:
Blocked: false
Insecure: true
Location: localhost:5000
MirrorByDigestOnly: false
Mirrors: null
Prefix: localhost:5000
PullFromMirror: ""
search:
- docker.io
- quay.io
- registry.fedoraproject.org
store:
configFile: /home/matthew/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mount_program:
Executable: /usr/bin/fuse-overlayfs
Package: sys-fs/fuse-overlayfs-1.10
Version: |-
fusermount3 version: 3.14.0
fuse-overlayfs: version 1.10
FUSE library version 3.14.0
using FUSE kernel interface version 7.38
graphRoot: /home/matthew/.local/share/containers/storage
graphRootAllocated: 1978033311744
graphRootUsed: 759315042304
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/matthew/.local/share/containers/storage/volumes
version:
APIVersion: 4.4.1
Built: 1676880362
BuiltTime: Mon Feb 20 09:06:02 2023
GitCommit: 34e8f39
GoVersion: go1.20.1
Os: linux
OsArch: linux/amd64
Version: 4.4.1
—
Reply to this email directly, view it on GitHub
<#17753>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB3AOCAXHRCNZQ2AH3TBM3TW34PXPANCNFSM6AAAAAAVZC6OEE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Sigh. Thanks. I was afraid there was not much else to do-- except for some hefty ACL trickery and such. Would have been nice if at least there was a way to get this working with overlayfs or some other trick. Guess I will have to completely re-think my plans and come up with some alternatives. Running rootful podman as non-root user via sudo is not very appealing to me since it comes with its own share of problems and possible securities issues that was trying to avoid. |
I apologize in advance for misusing the issue tracker (which I normal would frown upon myself and also refrain from doing) but I asked this ages ago on the Discord channel and never received any feedback and all my own research did not lead me to any real solution or good information on that subject. :-(
Given the following situation:
How can I share directories/files seamlessly (without hefty ACL trickery and group magic that does not scale nor without r(w) access for all nor without chowning the directory)?
An idmap (rbind) mount would be ideal but, if I read fs/namespace.c in the kernel sources correctly, that still requires CAP_SYS_ADMIN which kinda defeats the purpose of it all. I tried somehow getting this to work with (fuse) overlayfs but I got nowhere thus far.
Is there any way to do this at all with rootless podman or is running podman as root the only solution?
podman info:
The text was updated successfully, but these errors were encountered: