4:19 p.m.
On 06.11.19 17:01, Giuseppe Scrivano wrote:
the issue here is that you are mapping your own user to the same id
inside of the user namespace.
That means the root user inside of the user namespace will be mapped to
another ID, which is the first ID specified in /etc/sub?id for your
user. It is the same user that will configure the mount namespace,
including the bind mount that fails in your test.
Thank you! This explanation really helped and it confirms the theory I
had why it's not working. Assumed the mount is done as that "fake"-root
uid.
I was able to workaround it by doing:
setfacl -m user:FIRST_SUBUID:rx /tmp/foo
This made the container start :)
The OCI runtime, after changing uid/gid to the specified ones (with
--userns=keep-id are the same $UID:$GID you have on the host), drops any
additional group that the user had when launching the container.
I've added a function to crun 0.10.4 to have the possibility to not drop
additional groups for such cases, it can be enabled from podman with
"--annotation io.crun.keep_original_groups=1", it might help you.
Good to know, though crun won't make it to EL7 I guess, so the approach
above is probably the way to go for me in that situation.
~mh