[Podman] Re: Should I run podman-based systemd services as root?

On 8/4/23 08:17, Daniel Walsh wrote: > Rootful Podman looks for the user "containers" in /etc/subuid and > /etc/subgid files and then divides the range of UIDs/GIDs in defined, > containers/storage records the used UID ranges. > > With rootless, we sub-divide the users range. Right, and I see `podman pod create` also supports passing `--userns=auto`, so then all containers in that pod will have the same user namespace "view" for shared volumes. But now I'm questioning if podman really is "smart" enough to allocate the same rootless "sub-range" (from a single big entry) every time. Including across create/remove/create cycles for pods, containers, and volumes. Getting back to the suggestion for Mark's architecture (one user, managing tens of pods/apps, while maintaining "defense in depth" as much as possible).  It would be really, really, really important for the pods and/or containers to always grab the same "sub-range" when using `--userns=auto`.  Even if the pod or container is removed and re-created (for example, maybe some option needs changing).

Though maybe (again) I'm misunderstanding how `--userns=auto` is suppose to work.  It sounds like maybe the "sub-range" allocation is somehow persisted along with the shared volume data?  So preserving the volume metadata then becomes incredibly important (unless you enjoy lots of manual-chown-labor). --- Chris Evich (he/him), RHCA III Senior Quality Assurance Engineer If there's a "hard-way", I'm the first one to implement it. _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io