Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

namespaces: allow configuring keep-id userns size #24882

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

namespaces: allow configuring keep-id userns size #24882

wants to merge 2 commits into from
+86 −6

Conversation

giuseppe
Copy link
Member

Introduce a new option "size" to configure the maximum size of the user namespace configured by keep-id.

Closes: #24837

Now --userns=keep-id supports a new option `size` to configure the size of the user namespace

@giuseppe
specgen: fix comment
f7734a7 
Signed-off-by: Giuseppe Scrivano <[email protected]>
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Dec 20, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 20, 2024
@giuseppe giuseppe mentioned this pull request Dec 20, 2024
Open
@rhatdan
Copy link
Member

rhatdan commented Dec 20, 2024

LGTM

@Jookia
Copy link

Jookia commented Dec 20, 2024

How should this be integrated in to newer projects like distrobox? A version check to see if podman is > 5.3.1? Othersize size is undefined.

@giuseppe
namespaces: allow configuring keep-id userns size
5f2b57b 
Introduce a new option "size" to configure the maximum size of the
user namespace configured by keep-id.

Closes: containers#24837

Signed-off-by: Giuseppe Scrivano <[email protected]>
@Jookia
Copy link

Jookia commented Dec 20, 2024

I'm going to test this this weekend and try to integrate it in to distrobox to see if this works for my use case. I'll report back if it's a good solution for this problem.

@giuseppe
Copy link
Member Author

How should this be integrated in to newer projects like distrobox? A version check to see if podman is > 5.3.1? Othersize size is undefined.

personally I don't like version checks, it is error prone and it won't work if we backport the feature to older releases.

You could just run a simple container with that option and see if it works podman run --rm --userns=keep-id:size=1 $IMG /bin/true, or if it fails with Error: unknown option specified: "size"

@giuseppe
Copy link
Member Author

How should this be integrated in to newer projects like distrobox? A version check to see if podman is > 5.3.1? Othersize size is undefined.

personally I don't like version checks, it is error prone and it won't work if we backport the feature to older releases.

You could just run a simple container with that option and see if it works podman run --rm --userns=keep-id:size=1 $IMG /bin/true, or if it fails with Error: unknown option specified: "size"

even better if you specify the correct size you plan to use, so the image is copied and chowned only once

@Jookia
Copy link

Jookia commented Dec 20, 2024

Okay, thanks for the advice. I guess follow-up question is whether this will cause each container to have a different set of UIDs if I've never run --userns=auto before? It's a bit confusing how these interact.

@giuseppe
Copy link
Member Author

Okay, thanks for the advice. I guess follow-up question is whether this will cause each container to have a different set of UIDs if I've never run --userns=auto before? It's a bit confusing how these interact.

keep-id will keep using a static mapping, the size argument just makes sure it won't use all the available IDs, so that some of them can be used for auto containers

@Jookia
Copy link

Jookia commented Dec 22, 2024
edited
Loading

Good news: I have tested this with a modified distrobox and it works well! I can now run my userns=auto containers AND userns=keep-id:size=65536 distroboxes on my machine.

Bad news: I started looking at how to use this in distrobox. I can't guarantee 'podman run --rm --userns=keep-id:size=65336 $IMG /bin/true' will work as I can't guarantee the image will have /bin/true or really any specific binary. Would it be safe to take exit code 127 as success in this case?

My current code looks like this:

			# Add :size=65536 if possible
			if podman run --rm --userns=keep-id:size=65536 ${container_image} /bin/true 2>/dev/null || [ "$?" -eq 127 ] ; then
				result_command="${result_command}:size=65536"
			fi

Edit: This works perfectly fine, but it seems a little non-ideal.

@giuseppe
Copy link
Member Author

would be enough to just create the container without running it? podman create instead of podman run

@Jookia
Copy link

Jookia commented Dec 22, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jookia Jookia Jookia left review comments

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. release-note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow mixing userns=auto and userns=keep-id
3 participants
@giuseppe @rhatdan @Jookia