Hi all again,

I noticed podman is fast, very fast even, at copying and chowning the rootfs, when firing up a new container. How can it be that fast? I tried to recursively chown, with some code of mine, an OverlayFS-based rootfs but it's pretty slow. metacopy=on significantly improves the performance yet podman does not leverage metacopy since it's incompatible with userxattr.

Thanks,
Fabio.


Il 4 maggio 2023 21:20:37 CEST, Daniel Walsh <dwalsh@redhat.com> ha scritto:
On 5/4/23 04:29, Paul Holzinger wrote:
Hi Fabio,

My understanding is that the image is copied and chown-ed to the correct uids when running rootless.
There is also the concept of idmapped mounts in the kernel but the kernel only allows this as root at the moment.

Paul

On Thu, May 4, 2023 at 8:56 AM Fabio <fabio@redaril.me> wrote:
Hi all,

I'm trying to understand some of the internals of namespace-based Linux
containers and I'm kindly asking you for help.

When launching `podman run -it --rm -v ~/Downloads:/dwn
docker.io/library/ubuntu /bin/bash`, the inside user is root. That is
expected, and without any surprise the /proc/self/uid_map is:
          0       1000          1
          1     100000      65536

When launching `podman run -it --rm -v ~/Downloads:/dwn --userns keep-id
docker.io/library/ubuntu /bin/bash` instead, the /proc/self/uid_map is:
          0          1       1000
       1000          0          1
       1001       1001      64536

If I'm understanding it well, in the latter case there is a double
mapping: to keep host UID and GID, podman fires two user namespaces,
where the inner namespace maps its IDs the outer namespace, which
finally maps to the host (that is, 1000 -> 0 -> 1000 again).

Correct.
The mechanism I don't get is how podman manages to make the rootfs owned
by root inside the inner namespace, while assigning volumes to the
unprivileged inner user:
dr-xr-xr-x.   1 root   root      18 May  4 06:33 .
dr-xr-xr-x.   1 root   root      18 May  4 06:33 ..
lrwxrwxrwx.   1 root   root       7 Mar  8 02:05 bin -> usr/bin
drwxr-xr-x.   1 root   root       0 Apr 18  2022 boot
[...]
drwxr-xr-x.   1 myuser 1000    2.1K May  3 15:07 dwn

What is the algorithm here? I have a feeling there is some clever
combination of syscalls here I don't get. When I tried to reproduce this
double namespace situation, the rootfs of the inner namespace was all
owned by 1000, not 0.
 
Thank you so so much for your time if you're willing to help me,
Fabio.
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io