7:43 a.m.
On 1/24/20 10:33 PM, karl(a)touchpoint.io wrote:
This is a spinoff / continuation of my prior thread that should
hopefully be a bit more generic and therefore applicable to more people.
Simply put: what work do i need to do to a host prior to invoking `podman run...` on a
rootless container?
As best i can tell:
- Create a system level user (usually a U/GID under 1000 and no home-dir, password,
shell)
No. Rootless users are usually normal users, and should have home
directories at least, this is where the containers and images are stored.
- Create a new sub UID/GID range in /etc/subuid and /etc/subgid file
that the user/groups *in* the container will map to *on* the host
Yes.
useradd will do this automatically.
- Create space on the host for the volumes and other files
that'll need to get mounted into the container
Usually this is just the
homedir.
And then this is where I get lost.
I'd *like* to make the permissions applied to the on-host directories as narrow as
possible, but I've not found a reliable way to determine which U/GID should be applied
to the file/folder.
If you are running the rootless container as root then the UID
should be
the uid of the user.
If I create a host system user with UID 995, this UID won't be what gets mapped into
the container which will result in "not permitted" errors when the process
inside the container tries to touch files that are mapped from the host into the
container.
By default rootless users UID is mapped into the container as UID=0.
So i've started to use a rather crude approach:
- chmod -R 777 /path/to/dir/that/mounts/into/container
- podman run ...
- ls -lah /path/to/dir/that/mounts/into/container
- chown $(uid from above step) /path/to/dir/that/mounts/into/container
- chmod -R 0750 /path/to/dir/that/mounts/into/container
My question is there a better way?
In the specific case of the prometheus container, the container wants to run as the
`nobody` user which has the ID `65534`. See:
Then you need to create a range of
users that is as large as
65534
```
/ $ id nobody
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
```
And if i look at my `/etc/subuid` file, i see that `prometheus` has `65536` IDs allocated
to it, starting from `427680`. See:
```
$ cat /etc/subuid
<...snip...>
prometheus:427680:65536
```
And using the (crude) method from above, i can see that the files are being written to
disk as the user `493213`. See:
```
prometheus@my-host:/tmp/prom/data$ ls -lah
total 16K
drwxrwxrwx 3 prometheus prometheus 4.0K Jan 24 12:43 .
drwxrwxrwx 3 prometheus prometheus 4.0K Jan 24 12:17 ..
-rw-r--r-- 1 493213 493213 0 Jan 24 12:43 lock
-rw-r--r-- 1 493213 493213 20K Jan 24 12:43 queries.active
drwxr-xr-x 2 493213 493213 4.0K Jan 24 12:43 wal
```
So doing a bit of math we can see that 493213 - 427680 = 65533. Or, said differently,
starting with the user ID 427680, and adding another 65534 users (counting from ID 0) we
get the user id 493213.
I can now change the permissions on the `/tmp/prom/data` path from `drwxrwxrwx &
prometheus prometheus` to `drwx------ & 427680 427680` on the host.
So this brings me to my basic question: Is there a simpler way to get the value `427680`
from podman **prior** to running the container?
Thanks for for your time/help!
-K
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io