4:33 p.m.
This is a spinoff / continuation of my prior thread that should hopefully be a bit more
generic and therefore applicable to more people.
Simply put: what work do i need to do to a host prior to invoking `podman run...` on a
rootless container?
As best i can tell:
- Create a system level user (usually a U/GID under 1000 and no home-dir, password,
shell)
- Create a new sub UID/GID range in /etc/subuid and /etc/subgid file that the user/groups
*in* the container will map to *on* the host
- Create space on the host for the volumes and other files that'll need to get mounted
into the container
And then this is where I get lost.
I'd *like* to make the permissions applied to the on-host directories as narrow as
possible, but I've not found a reliable way to determine which U/GID should be applied
to the file/folder.
If I create a host system user with UID 995, this UID won't be what gets mapped into
the container which will result in "not permitted" errors when the process
inside the container tries to touch files that are mapped from the host into the
container.
So i've started to use a rather crude approach:
- chmod -R 777 /path/to/dir/that/mounts/into/container
- podman run ...
- ls -lah /path/to/dir/that/mounts/into/container
- chown $(uid from above step) /path/to/dir/that/mounts/into/container
- chmod -R 0750 /path/to/dir/that/mounts/into/container
My question is there a better way?
In the specific case of the prometheus container, the container wants to run as the
`nobody` user which has the ID `65534`. See:
```
/ $ id nobody
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
```
And if i look at my `/etc/subuid` file, i see that `prometheus` has `65536` IDs allocated
to it, starting from `427680`. See:
```
$ cat /etc/subuid
<...snip...>
prometheus:427680:65536
```
And using the (crude) method from above, i can see that the files are being written to
disk as the user `493213`. See:
```
prometheus@my-host:/tmp/prom/data$ ls -lah
total 16K
drwxrwxrwx 3 prometheus prometheus 4.0K Jan 24 12:43 .
drwxrwxrwx 3 prometheus prometheus 4.0K Jan 24 12:17 ..
-rw-r--r-- 1 493213 493213 0 Jan 24 12:43 lock
-rw-r--r-- 1 493213 493213 20K Jan 24 12:43 queries.active
drwxr-xr-x 2 493213 493213 4.0K Jan 24 12:43 wal
```
So doing a bit of math we can see that 493213 - 427680 = 65533. Or, said differently,
starting with the user ID 427680, and adding another 65534 users (counting from ID 0) we
get the user id 493213.
I can now change the permissions on the `/tmp/prom/data` path from `drwxrwxrwx &
prometheus prometheus` to `drwx------ & 427680 427680` on the host.
So this brings me to my basic question: Is there a simpler way to get the value `427680`
from podman **prior** to running the container?
Thanks for for your time/help!
-K