7:26 a.m.
I'm running a bunch of rootless Podman containers. I noticed that the RemapUsers,
RemapUid and RemapGid options (and possibly others that I haven't used) disappeared
from the documentation of podman-systemd.unit in 4.5.0.
I barely and partially understood what the options did in the 4.4.0 days when we started
using them, but got them working through trial and error.
Here's what we have across the board right now in our Quadlet generators. They still
work in 4.5.0, but I'm assuming they'll go away eventually:
RemapUsers=manual
RemapUid=0:0:1
RemapUid=100:1:1
RemapGid=0:0:1
RemapGid=65534:1:1
With the 0:0:1 options, the root user/group inside the containers are mapped to the
regular (non-root) host user/group. We need this, since the container bind mounts volumes
from the host and must appear to the host as the regular user while doing so.
The 100:1:1 and 65534:1:1 options have to do with the special _apt user in Debian-based
containers; apt drops privileges to that user in some circumstances. I couldn't tell
you why remapping those are needed, but not having them caused problems when installing
packages inside the containers.
What Quadlet options in Podman >=4.5.0 would be equivalent to the above legacy options?
3:04 a.m.
New subject: What to use instead of RemapUsers/RemapUid/RemapGid in Quadlet now?
Thanks for reaching out!
The following commit has removed the fields from the documentation:
https://github.com/containers/podman/commit/f6a50311c56d
The fields have been deprecated in favor of the new `UserNS` field which is
more symmetric to the CLI. The old fields are still functional but we
decided to drop them from the docs to not encourage use.
Kind regards,
Valentin
On Fri, Sep 1, 2023 at 1:28 PM <jklaiho(a)iki.fi> wrote:
I'm running a bunch of rootless Podman containers. I noticed that
the
RemapUsers, RemapUid and RemapGid options (and possibly others that I
haven't used) disappeared from the documentation of podman-systemd.unit in
4.5.0.
I barely and partially understood what the options did in the 4.4.0 days
when we started using them, but got them working through trial and error.
Here's what we have across the board right now in our Quadlet generators.
They still work in 4.5.0, but I'm assuming they'll go away eventually:
RemapUsers=manual
RemapUid=0:0:1
RemapUid=100:1:1
RemapGid=0:0:1
RemapGid=65534:1:1
With the 0:0:1 options, the root user/group inside the containers are
mapped to the regular (non-root) host user/group. We need this, since the
container bind mounts volumes from the host and must appear to the host as
the regular user while doing so.
The 100:1:1 and 65534:1:1 options have to do with the special _apt user in
Debian-based containers; apt drops privileges to that user in some
circumstances. I couldn't tell you why remapping those are needed, but not
having them caused problems when installing packages inside the containers.
What Quadlet options in Podman >=4.5.0 would be equivalent to the above
legacy options?
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
6:53 a.m.
New subject: What to use instead of RemapUsers/RemapUid/RemapGid in Quadlet now?
Hi,
Thanks for the commit ref for context, Valentin.
Nonetheless, I would really appreciate help with how to express these old style mappings
with the new UserNS option in Quadlet:
RemapUsers=manual
RemapUid=0:0:1
RemapUid=100:1:1
RemapGid=0:0:1
RemapGid=65534:1:1
Like I said, I arrived to these with trial and error, not properly understanding what
I'm doing, and would rather not try to convert from one poorly understood syntax to
another.
- JK
On Monday, Sep 04, 2023 at 10:05 AM, Valentin Rothberg
<vrothberg(a)redhat.com (mailto:vrothberg@redhat.com)> wrote:
Thanks for reaching out!
The following commit has removed the fields from the documentation:
https://github.com/containers/podman/commit/f6a50311c56d
The fields have been deprecated in favor of the new `UserNS` field which is more
symmetric to the CLI. The old fields are still functional but we decided to drop them from
the docs to not encourage use.
Kind regards,
Valentin
7:35 a.m.
New subject: What to use instead of RemapUsers/RemapUid/RemapGid in Quadlet now?
On Mon, Sep 4, 2023 at 12:54 PM jklaiho(a)iki.fi <jklaiho(a)iki.fi> wrote:
Hi,
Thanks for the commit ref for context, Valentin.
Nonetheless, I would really appreciate help with how to express these old
style mappings with the new UserNS option in Quadlet:
RemapUsers=manual
RemapUid=0:0:1
RemapUid=100:1:1
RemapGid=0:0:1
RemapGid=65534:1:1
Like I said, I arrived to these with trial and error, not properly
understanding what I'm doing, and would rather not try to convert from one
poorly understood syntax to another.
The syntax is `container ID: host ID: range`. So `100:1:1` means that
container UID 100 is mapped to host UID 1 for the range of length 1.
`100:1:10` would mean that 10 UIDs starting at 100 inside the container are
mapped to 10 outside the container at UID 1.
That being said, are you sure what you specified above is correct? In case
you are not sure, can you elaborate why you want to achieve? I am hesitant
to give an answer as the ranges look strange to me.
- JK
On Monday, Sep 04, 2023 at 10:05 AM, Valentin Rothberg <
vrothberg(a)redhat.com> wrote:
Thanks for reaching out!
The following commit has removed the fields from the documentation:
https://github.com/containers/podman/commit/f6a50311c56d
The fields have been deprecated in favor of the new `UserNS` field which
is more symmetric to the CLI. The old fields are still functional but we
decided to drop them from the docs to not encourage use.
Kind regards,
Valentin
1:02 p.m.
New subject: What to use instead of RemapUsers/RemapUid/RemapGid in Quadlet now?
> Nonetheless, I would really appreciate help with how to express
these old style mappings with the new UserNS option in Quadlet:
>
> RemapUsers=manual
> RemapUid=0:0:1
> RemapUid=100:1:1
> RemapGid=0:0:1
> RemapGid=65534:1:1
>
The syntax is `container ID: host ID: range`. So `100:1:1` means that container UID 100
is mapped to host UID 1 for the range of length 1. `100:1:10` would mean that 10 UIDs
starting at 100 inside the container are mapped to 10 outside the container at UID 1.
That being said, are you sure what you specified above is correct? In case you are not
sure, can you elaborate why you want to achieve? I am hesitant to give an answer as the
ranges look strange to me.
See this thread:
https://lists.podman.io/archives/list/podman@lists.podman.io/thread/3ZN4U...
It describes the original issue I had, and how I arrived at those numbers. Remember, this
is a rootless container being run by a regular user. According to Erik Sjölund's post
in the thread, the middle number is only a host UID in a rootful container – otherwise
it's an "intermediate UID", a term Erik says he invented for explanatory
purposes. ("Positional index", he later also called it; so AFAIK, an index to
the subordinate UIDs of the host user.)
As for what I'm trying to achieve:
RemapUid=0:0:1 and RemapGid=0:0:1 just make it so that the container root appears to the
host as the regular host user, for purposes of host file permissions for bind mounted
volumes. (A file created into the mounted volume as the container's root shows up on
the host side as being created by the regular user, etc.)
RemapUid=100:1:1 and RemapGid=65534:1:1 fix the apt-related error described in the thread,
and have no other purpose for me. If (if!) I understood anything from Erik's and
Guiseppe Scrivano's explanations in that thread, this gives the container one extra
UID and GID to work with when performing seteuid/setegid/setgroups operations. It seems to
need those when the container root drops privileges to become the container _apt user
during package installation.
Phew :-D. With all that said, I hope the correct UserNS invocation can be determined.
- JK
3:36 p.m.
New subject: What to use instead of RemapUsers/RemapUid/RemapGid in Quadlet now?
I think the directive "PodmanArgs" can be used to set podman arguments
that don't have any
container option counterpart.
See man page:
https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
Maybe something like this could work?
PodmanArgs=--uidmap 0:0:1 --uidmap 100:1:1 --gidmap 0:0:1 --gidmap 65534:1:1
(untested)
Erik
On Mon, Sep 4, 2023 at 7:03 PM jklaiho(a)iki.fi <jklaiho(a)iki.fi> wrote:
>>
>> Nonetheless, I would really appreciate help with how to express these old style
mappings with the new UserNS option in Quadlet:
>>
>> RemapUsers=manual
>> RemapUid=0:0:1
>> RemapUid=100:1:1
>> RemapGid=0:0:1
>> RemapGid=65534:1:1
>>
> The syntax is `container ID: host ID: range`. So `100:1:1` means that container UID
100 is mapped to host UID 1 for the range of length 1. `100:1:10` would mean that 10 UIDs
starting at 100 inside the container are mapped to 10 outside the container at UID 1.
>
> That being said, are you sure what you specified above is correct? In case you are
not sure, can you elaborate why you want to achieve? I am hesitant to give an answer as
the ranges look strange to me.
>
>
> See this thread:
https://lists.podman.io/archives/list/podman@lists.podman.io/thread/3ZN4U...
>
> It describes the original issue I had, and how I arrived at those numbers. Remember,
this is a rootless container being run by a regular user. According to Erik Sjölund's
post in the thread, the middle number is only a host UID in a rootful container –
otherwise it's an "intermediate UID", a term Erik says he invented for
explanatory purposes. ("Positional index", he later also called it; so AFAIK, an
index to the subordinate UIDs of the host user.)
>
> As for what I'm trying to achieve:
>
> RemapUid=0:0:1 and RemapGid=0:0:1 just make it so that the container root appears to
the host as the regular host user, for purposes of host file permissions for bind mounted
volumes. (A file created into the mounted volume as the container's root shows up on
the host side as being created by the regular user, etc.)
>
> RemapUid=100:1:1 and RemapGid=65534:1:1 fix the apt-related error described in the
thread, and have no other purpose for me. If (if!) I understood anything from Erik's
and Guiseppe Scrivano's explanations in that thread, this gives the container one
extra UID and GID to work with when performing seteuid/setegid/setgroups operations. It
seems to need those when the container root drops privileges to become the container _apt
user during package installation.
>
> Phew :-D. With all that said, I hope the correct UserNS invocation can be
determined.
>
> - JK
>
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
445
days inactive
448
days old
5 comments
3 participants
participants (3)
-
Erik Sjölund -
jklaiho@iki.fi -
Valentin Rothberg