Nonetheless, I would really appreciate help with how to express these old style mappings with the new UserNS option in Quadlet:
RemapUsers=manual
RemapUid=0:0:1
RemapUid=100:1:1
RemapGid=0:0:1
RemapGid=65534:1:1
The syntax is `container ID: host ID: range`. So `100:1:1` means that container UID 100 is mapped to host UID 1 for the range of length 1. `100:1:10` would mean that 10 UIDs starting at 100 inside the container are mapped to 10 outside the container at UID 1.
That being said, are you sure what you specified above is correct? In case you are not sure, can you elaborate why you want to achieve? I am hesitant to give an answer as the ranges look strange to me.
See this thread: https://lists.podman.io/archives/list/podman@lists.podman.io/thread/3ZN4U5MKMGUX6ISDUNW5D32VI6QHZAA6/
It describes the original issue I had, and how I arrived at those numbers. Remember, this is a rootless container being run by a regular user. According to Erik Sjölund's post in the thread, the middle number is only a host UID in a rootful container – otherwise it's an "intermediate UID", a term Erik says he invented for explanatory purposes. ("Positional index", he later also called it; so AFAIK, an index to the subordinate UIDs of the host user.)
As for what I'm trying to achieve:
RemapUid=0:0:1 and RemapGid=0:0:1 just make it so that the container root appears to the host as the regular host user, for purposes of host file permissions for bind mounted volumes. (A file created into the mounted volume as the container's root shows up on the host side as being created by the regular user, etc.)
RemapUid=100:1:1 and RemapGid=65534:1:1 fix the apt-related error described in the thread, and have no other purpose for me. If (if!) I understood anything from Erik's and Guiseppe Scrivano's explanations in that thread, this gives the container one extra UID and GID to work with when performing seteuid/setegid/setgroups operations. It seems to need those when the container root drops privileges to become the container _apt user during package installation.
Phew :-D. With all that said, I hope the correct UserNS invocation can be determined.
- JK