5:04 p.m.
On 7/19/22 00:21, Robin Lee Powell wrote:
remap them to UID 93.
Oof, this is really tough. I'm really surprised the UID is hard-coded
like that. Are you seriously locked into using exim?
(I'm guessing yes).
On 7/19/22 00:21, Robin Lee Powell wrote:
Because I'm running rootless, all those files are owned by UID
1000,
as you'd expect. I also run with --userns=keep-id, because, well,
that seems cleanest and most secure?
I'm thinking this might be your way out. If the containers were running
as root on the host, there would be a security benefit to non-root
container users. However, since you're running rootless, you're really
not gaining anything at all (besides maybe frustration).
So, since you're hard-coded into uid 93 for exim, can you rearrange all
your non-exim containers to run as root (still rootless on the host) but
retain access the volume data that's needed?
Another idea is to have all your non-exim containers run with
`--userns:container:<Exim Container>` to help coordinate access to your
volume data. That should also reduce the amount of fiddling you need to
do with UIDs/GIDs. Everything can simply be locked into whatever is
setup in the exim container.
HTH
--
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
My personal robot overlord told me to include this signature line.