Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow mixing userns=auto and userns=keep-id #24837

Open
Jookia opened this issue Dec 13, 2024 · 3 comments · May be fixed by #24882
Open

Allow mixing userns=auto and userns=keep-id #24837

Jookia opened this issue Dec 13, 2024 · 3 comments · May be fixed by #24882
Assignees
@giuseppe
Labels
jira kind/feature Categorizes issue or PR as related to a new feature.

Comments

@Jookia
Copy link

Jookia commented Dec 13, 2024

Feature request description

Currently you have to pick between using userns=auto for every container you have or being able to keep-id which is useful for development containers. I'm hitting this issue with distrobox for example.

Using the following flag gets a working result:

--userns=auto:gidmapping=1000:0:1,uidmapping=1000:0:1,size=65536

Suggest potential solution

podman never promises the UID range in nomap or keep-id. Maybe these could use auto by default, or by a configuration flag?

Have you considered any alternatives?

The application using podman could instead be changed to use =auto. In my case I modified distrobox. However there's no way for distrobox to know whether to use =auto or =keep-id, especially since using the wrong one may affect other containers running on the machine.

Additional context

Using =auto has a significant security boost, it would be nice to have this as a rootless user.
@Jookia Jookia added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 13, 2024
@giuseppe
Copy link
Member

if I understand correctly the problem you are facing, you'd like keep-id to not use all the available IDs?

I think we could achieve it adding a size= option to keep-id, something like --userns keep-id:size=1024.

@Jookia
Copy link
Author

Jookia commented Dec 19, 2024 via email
edited
Loading

@giuseppe giuseppe self-assigned this Dec 20, 2024
@giuseppe giuseppe added the jira label Dec 20, 2024
giuseppe added a commit to giuseppe/libpod that referenced this issue Dec 20, 2024
@giuseppe
namespaces: allow configuring keep-id userns size
5290a37 
Introduce a new option "size" to configure the maximum size of the
user namespace configured by keep-id.

Closes: containers#24837

Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe added a commit to giuseppe/libpod that referenced this issue Dec 20, 2024
@giuseppe
namespaces: allow configuring keep-id userns size
8f3662a 
Introduce a new option "size" to configure the maximum size of the
user namespace configured by keep-id.

Closes: containers#24837

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe giuseppe linked a pull request Dec 20, 2024 that will close this issue
Open
@giuseppe
Copy link
Member

great, that is quite easy to add.

Opened a PR:

giuseppe added a commit to giuseppe/libpod that referenced this issue Dec 20, 2024
@giuseppe
namespaces: allow configuring keep-id userns size
67318cf 
Introduce a new option "size" to configure the maximum size of the
user namespace configured by keep-id.

Closes: containers#24837

Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe added a commit to giuseppe/libpod that referenced this issue Dec 20, 2024
@giuseppe
namespaces: allow configuring keep-id userns size
5f2b57b 
Introduce a new option "size" to configure the maximum size of the
user namespace configured by keep-id.

Closes: containers#24837

Signed-off-by: Giuseppe Scrivano <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@giuseppe giuseppe

Labels
jira kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

namespaces: allow configuring keep-id userns size giuseppe/libpod
2 participants
@giuseppe @Jookia