2:47 a.m.
Hi all,
I'm trying to understand some of the internals of namespace-based Linux
containers and I'm kindly asking you for help.
When launching `podman run -it --rm -v ~/Downloads:/dwn
docker.io/library/ubuntu /bin/bash`, the inside user is root. That is
expected, and without any surprise the /proc/self/uid_map is:
0 1000 1
1 100000 65536
When launching `podman run -it --rm -v ~/Downloads:/dwn --userns keep-id
docker.io/library/ubuntu /bin/bash` instead, the /proc/self/uid_map is:
0 1 1000
1000 0 1
1001 1001 64536
If I'm understanding it well, in the latter case there is a double
mapping: to keep host UID and GID, podman fires two user namespaces,
where the inner namespace maps its IDs the outer namespace, which
finally maps to the host (that is, 1000 -> 0 -> 1000 again).
The mechanism I don't get is how podman manages to make the rootfs owned
by root inside the inner namespace, while assigning volumes to the
unprivileged inner user:
dr-xr-xr-x. 1 root root 18 May 4 06:33 .
dr-xr-xr-x. 1 root root 18 May 4 06:33 ..
lrwxrwxrwx. 1 root root 7 Mar 8 02:05 bin -> usr/bin
drwxr-xr-x. 1 root root 0 Apr 18 2022 boot
[...]
drwxr-xr-x. 1 myuser 1000 2.1K May 3 15:07 dwn
What is the algorithm here? I have a feeling there is some clever
combination of syscalls here I don't get. When I tried to reproduce this
double namespace situation, the rootfs of the inner namespace was all
owned by 1000, not 0.
Thank you so so much for your time if you're willing to help me,
Fabio.
4:29 a.m.
New subject: How does podman set rootfs ownership to root when using --userns keep-id ?
Hi Fabio,
My understanding is that the image is copied and chown-ed to the correct
uids when running rootless.
There is also the concept of idmapped mounts in the kernel but the kernel
only allows this as root at the moment.
Paul
On Thu, May 4, 2023 at 8:56 AM Fabio <fabio(a)redaril.me> wrote:
Hi all,
I'm trying to understand some of the internals of namespace-based Linux
containers and I'm kindly asking you for help.
When launching `podman run -it --rm -v ~/Downloads:/dwn
docker.io/library/ubuntu /bin/bash`, the inside user is root. That is
expected, and without any surprise the /proc/self/uid_map is:
0 1000 1
1 100000 65536
When launching `podman run -it --rm -v ~/Downloads:/dwn --userns keep-id
docker.io/library/ubuntu /bin/bash` instead, the /proc/self/uid_map is:
0 1 1000
1000 0 1
1001 1001 64536
If I'm understanding it well, in the latter case there is a double
mapping: to keep host UID and GID, podman fires two user namespaces,
where the inner namespace maps its IDs the outer namespace, which
finally maps to the host (that is, 1000 -> 0 -> 1000 again).
The mechanism I don't get is how podman manages to make the rootfs owned
by root inside the inner namespace, while assigning volumes to the
unprivileged inner user:
dr-xr-xr-x. 1 root root 18 May 4 06:33 .
dr-xr-xr-x. 1 root root 18 May 4 06:33 ..
lrwxrwxrwx. 1 root root 7 Mar 8 02:05 bin -> usr/bin
drwxr-xr-x. 1 root root 0 Apr 18 2022 boot
[...]
drwxr-xr-x. 1 myuser 1000 2.1K May 3 15:07 dwn
What is the algorithm here? I have a feeling there is some clever
combination of syscalls here I don't get. When I tried to reproduce this
double namespace situation, the rootfs of the inner namespace was all
owned by 1000, not 0.
Thank you so so much for your time if you're willing to help me,
Fabio.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
3:20 p.m.
New subject: How does podman set rootfs ownership to root when using --userns keep-id ?
On 5/4/23 04:29, Paul Holzinger wrote:
Hi Fabio,
My understanding is that the image is copied and chown-ed to the
correct uids when running rootless.
There is also the concept of idmapped mounts in the kernel but the
kernel only allows this as root at the moment.
Paul
On Thu, May 4, 2023 at 8:56 AM Fabio <fabio(a)redaril.me> wrote:
Hi all,
I'm trying to understand some of the internals of namespace-based
Linux
containers and I'm kindly asking you for help.
When launching `podman run -it --rm -v ~/Downloads:/dwn
docker.io/library/ubuntu <http://docker.io/library/ubuntu>
/bin/bash`, the inside user is root. That is
expected, and without any surprise the /proc/self/uid_map is:
0 1000 1
1 100000 65536
When launching `podman run -it --rm -v ~/Downloads:/dwn --userns
keep-id
docker.io/library/ubuntu <http://docker.io/library/ubuntu>
/bin/bash` instead, the /proc/self/uid_map is:
0 1 1000
1000 0 1
1001 1001 64536
If I'm understanding it well, in the latter case there is a double
mapping: to keep host UID and GID, podman fires two user namespaces,
where the inner namespace maps its IDs the outer namespace, which
finally maps to the host (that is, 1000 -> 0 -> 1000 again).
Correct.
The mechanism I don't get is how podman manages to make the rootfs
owned
by root inside the inner namespace, while assigning volumes to the
unprivileged inner user:
dr-xr-xr-x. 1 root root 18 May 4 06:33 .
dr-xr-xr-x. 1 root root 18 May 4 06:33 ..
lrwxrwxrwx. 1 root root 7 Mar 8 02:05 bin -> usr/bin
drwxr-xr-x. 1 root root 0 Apr 18 2022 boot
[...]
drwxr-xr-x. 1 myuser 1000 2.1K May 3 15:07 dwn
What is the algorithm here? I have a feeling there is some clever
combination of syscalls here I don't get. When I tried to
reproduce this
double namespace situation, the rootfs of the inner namespace was all
owned by 1000, not 0.
Thank you so so much for your time if you're willing to help me,
Fabio.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list --podman(a)lists.podman.io
To unsubscribe send an email topodman-leave(a)lists.podman.io
3:11 a.m.
New subject: How does podman set rootfs ownership to root when using --userns keep-id ?
Hi all again,
I noticed podman is fast, very fast even, at copying and chowning the rootfs, when firing
up a new container. How can it be that fast? I tried to recursively chown, with some code
of mine, an OverlayFS-based rootfs but it's pretty slow. metacopy=on significantly
improves the performance yet podman does not leverage metacopy since it's incompatible
with userxattr.
Thanks,
Fabio.
Il 4 maggio 2023 21:20:37 CEST, Daniel Walsh <dwalsh(a)redhat.com> ha scritto:
On 5/4/23 04:29, Paul Holzinger wrote:
> Hi Fabio,
>
> My understanding is that the image is copied and chown-ed to the correct uids when
running rootless.
> There is also the concept of idmapped mounts in the kernel but the kernel only allows
this as root at the moment.
>
> Paul
>
> On Thu, May 4, 2023 at 8:56 AM Fabio <fabio(a)redaril.me> wrote:
>
> Hi all,
>
> I'm trying to understand some of the internals of namespace-based
> Linux
> containers and I'm kindly asking you for help.
>
> When launching `podman run -it --rm -v ~/Downloads:/dwn
> docker.io/library/ubuntu <http://docker.io/library/ubuntu>
> /bin/bash`, the inside user is root. That is
> expected, and without any surprise the /proc/self/uid_map is:
> 0 1000 1
> 1 100000 65536
>
> When launching `podman run -it --rm -v ~/Downloads:/dwn --userns
> keep-id
> docker.io/library/ubuntu <http://docker.io/library/ubuntu>
> /bin/bash` instead, the /proc/self/uid_map is:
> 0 1 1000
> 1000 0 1
> 1001 1001 64536
>
> If I'm understanding it well, in the latter case there is a double
> mapping: to keep host UID and GID, podman fires two user namespaces,
> where the inner namespace maps its IDs the outer namespace, which
> finally maps to the host (that is, 1000 -> 0 -> 1000 again).
>
Correct.
>
> The mechanism I don't get is how podman manages to make the rootfs
> owned
> by root inside the inner namespace, while assigning volumes to the
> unprivileged inner user:
> dr-xr-xr-x. 1 root root 18 May 4 06:33 .
> dr-xr-xr-x. 1 root root 18 May 4 06:33 ..
> lrwxrwxrwx. 1 root root 7 Mar 8 02:05 bin -> usr/bin
> drwxr-xr-x. 1 root root 0 Apr 18 2022 boot
> [...]
> drwxr-xr-x. 1 myuser 1000 2.1K May 3 15:07 dwn
>
> What is the algorithm here? I have a feeling there is some clever
> combination of syscalls here I don't get. When I tried to
> reproduce this
> double namespace situation, the rootfs of the inner namespace was all
> owned by 1000, not 0.
>
> Thank you so so much for your time if you're willing to help me,
> Fabio.
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
>
> _______________________________________________
> Podman mailing list --podman(a)lists.podman.io
> To unsubscribe send an email topodman-leave(a)lists.podman.io
550
days inactive
568
days old
3 comments
3 participants
participants (3)
-
Daniel Walsh -
Fabio -
Paul Holzinger