9:48 a.m.
On 8/1/23 05:51, Daniel Walsh wrote:
An easier way to do this would be to create a non root user with a
huge
amount of UIDs And then run each container within that user with
Userns=auto. That would get you doing podman pulls without being root,
and have all of your containers isolated from each other with user
namespaces.
I'm assuming you mean a huge amount of sub-UIDs (and sub-GIDs).
Neat! So with --userns=auto, the container UID/GID assignment is: "nil
(Host User UID is not mapped into container.)". Surely that would
make life easier and also simplify the ownership of storage items.
I'm guessing it wouldn't matter, but would it make any difference to
have many entries of smaller ranges (for the host-user), rather than one
massive one?
Reason I ask is, one entry/range per pod or app would be simpler to
manage with tools like Ansible - where it's trivial to manipulate lines
in `/etc/sub{u,g}id` - rather than trying to "assign" out of a single
huge entry (and ensuring it's always large enough) to the user's pods/apps.
In the `newuidmap` I couldn't find mention of any maximum number of
ranges. Would it be limited to the max command-line length then?
---
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
If there's a "hard-way", I'm the first one to implement it.