11:28 a.m.
Andre Nathan <andre(a)digirati.com.br> writes:
Hello
I'm trying to mount a volume in a rootful container using
--userns=auto. This is an NFS volme mounted in the host and then onto
the container.
The container should have write access to the volume, so I'm using the
ID mapping options to map the volume owner's UID and GID to 0 in user
namespace and the mount parameters.
These are the NFS exports:
/srv 10.20.3.140/32(rw,fsid=0,no_subtree_check,sync)
/srv/home 10.20.3.140/32(rw,sync,nohide,no_subtree_check)
The NFS server's /home is bind-mounted on /srv/home. The client mounts
the NFS volume on its own /srv:
$ mount | grep nfs
10.20.3.137:/ on /srv type nfs4
(rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.20.3.140,local_lock=none,addr=10.20.3.137)
# ls -l /srv/home
total 4
drwxr-x--- 5 local local 4096 Sep 19 17:36 local
The "local" user's UID and GID (this user was created on both machines
[NFS server and client] with the same UID and GID):
# grep local /etc/passwd
local:x:1000:1000:local:/home/local:/bin/bash
The command I'm using to start the container:
# podman run -d --rm --name foo \
--userns=auto:uidmapping=1000:0:1,gidmapping=1000:0:1 \
-v '/srv/home/local:/home/local:idmap=uids=1000-0-1;gids=1000-0-1' \
quay.io/libpod/alpine_nginx
This results in the following error:
Error: OCI runtime error: crun: mount_setattr `/home/local`: Invalid
argument
Checking the man page for mount_setattr, there are a bunch of reasons
for it to fail with EINVAL, including "MOUNT_ATTR_IDMAP was specified
in attr_clr", so my question is, was this supposed to work?
If it wasn't, is there a way to achieve a writable NFS volume combined
with --userns=auto in a rootful container?
I'm using Ubuntu 22.04 with the Kubic packages:
idmap mounts, AFAICS, do not work with NFS. That is a limitation in the
kernel.
Looking at the linux code, only a bunch of them supports idmapped
mounts:
$ git grep FS_ALLOW_IDMAP fs mm
fs/btrfs/super.c: FS_ALLOW_IDMAP | FS_MGTIME,
fs/erofs/super.c: .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP,
fs/ext4/super.c: .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP |
FS_MGTIME,
fs/f2fs/super.c: .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP,
fs/fat/namei_msdos.c: .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP,
fs/fat/namei_vfat.c: .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP,
fs/namespace.c: if (!(m->mnt_sb->s_type->fs_flags & FS_ALLOW_IDMAP))
fs/ntfs3/super.c: .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP,
fs/squashfs/super.c: .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP,
fs/xfs/xfs_super.c: .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP |
FS_MGTIME,
mm/shmem.c: .fs_flags = FS_USERNS_MOUNT | FS_ALLOW_IDMAP | FS_MGTIME,
# podman version
Client: Podman Engine
Version: 4.6.2
API Version: 4.6.2
Go Version: go1.18.1
Built: Thu Jan 1 00:00:00 1970
OS/Arch: linux/amd64
# podman info
host:
arch: amd64
buildahVersion: 1.31.2
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon_100:2.1.2~0_amd64
path: /usr/libexec/podman/conmon
version: 'conmon version 2.1.2, commit: '
cpuUtilization:
idlePercent: 99.99
systemPercent: 0.01
userPercent: 0.01
cpus: 48
databaseBackend: boltdb
distribution:
codename: jammy
distribution: ubuntu
version: "22.04"
eventLogger: journald
freeLocks: 2048
hostname: local2
idMappings:
gidmap: null
uidmap: null
kernel: 5.15.0-52-generic
linkmode: dynamic
logDriver: journald
memFree: 263899713536
memTotal: 270361567232
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns_1.6.0-0ubuntu22.04+obs34.25_amd64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.6.0
package: netavark_1.3.0-0ubuntu22.04+obs22.9_amd64
path: /usr/libexec/podman/netavark
version: netavark 1.8.0-dev
ociRuntime:
name: crun
package: crun_101:1.9-0ubuntu22.04+obs59.11_amd64
path: /usr/bin/crun
version: |-
crun version 1.9
commit: a538ac4ea1ff319bcfe2bf81cb5c6f687e2dc9d3
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
pasta:
executable: ""
package: ""
version: ""
remoteSocket:
path: /run/podman/podman.sock
security:
apparmorEnabled: false
capabilities:
CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 0
swapTotal: 0
uptime: 137h 41m 19.00s (Approximately 5.71 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- docker.io
- quay.io
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 8340897792
graphRootUsed: 6129999872
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 4.6.2
Built: 0
BuiltTime: Thu Jan 1 00:00:00 1970
GitCommit: ""
GoVersion: go1.18.1
Os: linux
OsArch: linux/amd64
Version: 4.6.2
Thanks in advance,
Andre
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io