11:16 a.m.
On 8/4/23 08:17, Daniel Walsh wrote:
Rootful Podman looks for the user "containers" in
/etc/subuid and
/etc/subgid files and then divides the range of UIDs/GIDs in defined,
containers/storage records the used UID ranges.
With rootless, we sub-divide the users range.
Right, and I see `podman pod create` also supports passing
`--userns=auto`, so then all containers in that pod will have the same
user namespace "view" for shared volumes.
But now I'm questioning if podman really is "smart" enough to allocate
the same rootless "sub-range" (from a single big entry) every time.
Including across create/remove/create cycles for pods, containers, and
volumes.
Getting back to the suggestion for Mark's architecture (one user,
managing tens of pods/apps, while maintaining "defense in depth" as much
as possible). It would be really, really, really important for the pods
and/or containers to always grab the same "sub-range" when using
`--userns=auto`. Even if the pod or container is removed and re-created
(for example, maybe some option needs changing).
Though maybe (again) I'm misunderstanding how `--userns=auto` is suppose
to work. It sounds like maybe the "sub-range" allocation is somehow
persisted along with the shared volume data? So preserving the volume
metadata then becomes incredibly important (unless you enjoy lots of
manual-chown-labor).
---
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
If there's a "hard-way", I'm the first one to implement it.