Hi all,

I'm trying to understand some of the internals of namespace-based Linux
containers and I'm kindly asking you for help.

When launching `podman run -it --rm -v ~/Downloads:/dwn
docker.io/library/ubuntu /bin/bash`, the inside user is root. That is
expected, and without any surprise the /proc/self/uid_map is:
          0       1000          1
          1     100000      65536

When launching `podman run -it --rm -v ~/Downloads:/dwn --userns keep-id
docker.io/library/ubuntu /bin/bash` instead, the /proc/self/uid_map is:
          0          1       1000
       1000          0          1
       1001       1001      64536

If I'm understanding it well, in the latter case there is a double
mapping: to keep host UID and GID, podman fires two user namespaces,
where the inner namespace maps its IDs the outer namespace, which
finally maps to the host (that is, 1000 -> 0 -> 1000 again).

The mechanism I don't get is how podman manages to make the rootfs owned
by root inside the inner namespace, while assigning volumes to the
unprivileged inner user:
dr-xr-xr-x.   1 root   root      18 May  4 06:33 .
dr-xr-xr-x.   1 root   root      18 May  4 06:33 ..
lrwxrwxrwx.   1 root   root       7 Mar  8 02:05 bin -> usr/bin
drwxr-xr-x.   1 root   root       0 Apr 18  2022 boot
[...]
drwxr-xr-x.   1 myuser 1000    2.1K May  3 15:07 dwn

What is the algorithm here? I have a feeling there is some clever
combination of syscalls here I don't get. When I tried to reproduce this
double namespace situation, the rootfs of the inner namespace was all
owned by 1000, not 0.

Thank you so so much for your time if you're willing to help me,
Fabio.
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io