5:18 p.m.
On 8/1/23 10:48, Chris Evich wrote:
On 8/1/23 05:51, Daniel Walsh wrote:
> An easier way to do this would be to create a non root user with a
> huge amount of UIDs And then run each container within that user with
> Userns=auto. That would get you doing podman pulls without being
> root, and have all of your containers isolated from each other with
> user namespaces.
I'm assuming you mean a huge amount of sub-UIDs (and sub-GIDs).
Neat! So with --userns=auto, the container UID/GID assignment is: "nil
(Host User UID is not mapped into container.)". Surely that would
make life easier and also simplify the ownership of storage items.
I'm guessing it wouldn't matter, but would it make any difference to
have many entries of smaller ranges (for the host-user), rather than
one massive one?
Reason I ask is, one entry/range per pod or app would be simpler to
manage with tools like Ansible - where it's trivial to manipulate
lines in `/etc/sub{u,g}id` - rather than trying to "assign" out of a
single huge entry (and ensuring it's always large enough) to the
user's pods/apps.
In the `newuidmap` I couldn't find mention of any maximum number of
ranges. Would it be limited to the max command-line length then?
There used to be a max ranges of 5 and Podman might not allow you to
specify that many.
Anyways why worry about individual ranges. Just define cevich with
100000000 UIDs and go to town.
---
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
If there's a "hard-way", I'm the first one to implement it.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io