3:13 a.m.
I created a Github feature request
https://github.com/containers/podman/issues/8929
On Sun, Jan 10, 2021 at 2:26 PM Daniel Walsh <dwalsh(a)redhat.com> wrote:
>
> On 1/10/21 08:14, Erik Sjölund wrote:
> > The upcoming Podman 3.0 looks exciting, especially in regards to
> > "rootless single mapping".
> >
> > Regarding the question:
> >> If you know of "features", that you want to get in, then make them
known
> >> in github.
> > Would it make sense to add these two new command-line options to "podman
run"
> >
> > --disable-subuid
> > --disable-subgid
> >
> > so that it would easy to disable the use of
> >
> > /usr/bin/newuidmap
> > /usr/bin/newgidmap
> >
> > That would be handy when a user wants to run podman and be sure that
> > no subuids and subgids are used.
> >
> > If you wonder about the terminology:
> > "rootless single mapping", I found it here:
> >
> > [erik@laptop podman]$ grep "using rootless "
./pkg/rootless/rootless_linux.go
> > logrus.Warnf("using rootless single mapping into the namespace. This
> > might break some images. Check /etc/subuid and /etc/subgid for adding
> > sub*ids")
> > [erik@laptop podman]$
> >
> > I could add a feature request to Github, if you think these options make sense.
> > _______________________________________________
> > Podman mailing list -- podman(a)lists.podman.io
> > To unsubscribe send an email to podman-leave(a)lists.podman.io
> Giuseppe would this be possible, or are we already within the user
> namespace before checking the options? If it is possible would we need
> to set the inore-chown-errors option?
>
> Most likely this would be implemented as a --security-opt nosuidmap.
>
> I would not want to add it as a primary option.
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io