-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UID/GID sync scripts #25
Comments
We could consider also moby/moby#42134 (comment) |
@bhack Namespace remapping can actually make things worse since you have to run the container as root for bind mounting to work. At that point, any tool that dislikes running as root will fail. Cloning into a volume instead avoids that particular problem, but it's also less convenient for quick actions and work when the source is local. I haven't found a slam dunk for how to resolve that particular issue. Namespace mapping also breaks certain things like docker-in-docker that are quite common. If you are running namespace mapped, you can disable UID sync'ing via the I wish there was an optional remapping on bind mounts but there isn't right now. 🤷♂️ Doesn't seem to be a perfect answer near as I can tell yet. Love to know if anyone finds one. |
Are you talking about the idmapping part of the mentioned thread?
P.s. See also moby/moby#28593 (comment) |
Yeah the referenced comment is making a statement about the design for the docker daemon running as something other than root. Running as non-root actually makes wanting to run as non-root inside the container harder - and that makes this overall situation worse. If you're cool running your container as root and you don't need elevated container privs it works fine. One thing I haven't tried is to see if you can run the daemon as some other user than your user to see if the sync'ing can kick in correctly in that case. Or did I misunderstand the reference in your comment? |
Yes this is the current case of docker But with future idmppaing mount support (moby/moby#28593 (comment)) cannot we map the mount in the container with the user we want? |
I don't know if you could test it with podman as it seems mereged there containers/podman#12298 |
Got it, yeah, once that is there the situation probably changes, I agree. Some of the comments from May in 2259 are encouraging. Fingers crossed that lands. We'd still need a fallback for kernels < 5.12, but that would narrow the problem and speed the whole process up. |
On using rootless: To use a non-root user ( |
I don't know if this is still valid and/or the same on Docker: |
Reading the article, it looks like there is only one regular host user per container, all others map to >100000 host UIDs. |
I have a suggestion for now: allow users to provide their own For example, I use docker-on/from-docker in all my devcontainers, and I would like to perform some additional remappings to the user within the container instead of only changing its UID/GID. For example, I'd like to change the username from This would be super nice for me. :) |
Using bind mounts on Linux (inclusive of WSL) can be confusing since the actual file descriptors from the host are used - inclusive of all permissions. The problem is that the user in the container - whether root or otherwise, can have different UID/GIDs than the host user - which means that files in the source folder can be unreadable or unwritable on either the host or the container depending on the situation. While you can use a volume to house source code instead of bind mounts, its useful to be able to use local source code mounts as well and can be manditory in CI/Automation scenarios as #9 is released.
The spec and reference CLI includes an
updateRemoteUserUID
property that defaults totrue
to deal with this problem which automatically updates a specified non-root user (incontainerUser
orrootUser
).However, while this does automatically update permissions in that user's
$HOME
directory in the container, it does not update other locations. This is problematic in a number of cases, but particularly when packages or other content the user needs to work with is not located there.Generally, the needed update is a
chown -R
on a directory, but this is not always the case - and more subtle updates can often be better (e.g. usingfind /location -uid 1000 -execdir chown username-here {} \+
). To provide a nuanced way to handle this, I'd propose a model similar to #19 where either Dockerfiles or dev container features can add a script to a known location. When a processor like the dev container CLI then executes a UID/GID update, these bash scripts are fired to make the needed updates. These would run as root and should be owned by root as a part of final image prep much like theusermod
/groupmod
commands when this step is needed.The text was updated successfully, but these errors were encountered: