Include support for rootless container and user creation in oci-containers

[bryanasdev000]

Describe the bug

In the current mode with podman, we define the specifications of our container and it goes up with the root user, ideally it would have a podman user or even better, one user per container, this would help in abstraction and allow to execute the containers with a service view.

To Reproduce
Steps to reproduce the behavior:

1. Add this to your configuration.nix:

  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers = {
    tester = {
      image = "pengbai/docker-supermario";
      ports = [ "8090:8080" ];
    };
  };

2. nixos-rebuild switch
3. ps aux | grep mario

Mario container will be running as root.

Expected behavior

Mario container will be running under user podman or podman-tester (podman+container name).

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Notify maintainers

@adisbladis

Metadata
Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.10.10-zen1, NixOS, 21.03pre268835.8c8731330b5 (Okapi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.10`
 - channels(root): `"nixos-21.03pre268835.8c8731330b5, home-manager"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module: oci-containers

[adisbladis]

While I agree with the issue I don't think it's possible to do this in a way that's also compatible with the docker backend.

[bryanasdev000]

While I agree with the issue I don't think it's possible to do this in a way that's also compatible with the docker backend.

Perhaps, Docker 20.10 supports rootless mode, despite having some limitations it seems usable.
(https://docs.docker.com/engine/security/rootless/)

But would it be a problem to have this only for Podman?

[adisbladis]

But would it be a problem to have this only for Podman?

No, but no other options are only supported by one backend at the moment. Ideally we'd only have options compatible with both.

Perhaps, Docker 20.10 supports rootless mode, despite having some limitations it seems usable.

That's news to me. Great!

[bryanasdev000]

But would it be a problem to have this only for Podman?

No, but no other options are only supported by one backend at the moment. Ideally we'd only have options compatible with both.

Perhaps, Docker 20.10 supports rootless mode, despite having some limitations it seems usable.

That's news to me. Great!

I will try to run some tests here, are you okay with one user per container?

[adisbladis]

I will try to run some tests here, are you okay with one user per container?

Couldn't we just run them with systemd's dynamicuser feature? It may be that this is not possible because of subuid/subgid requirements.

cc @saschagrunert

[bryanasdev000]

I will try to run some tests here, are you okay with one user per container?

Couldn't we just run them with systemd's dynamicuser feature? It may be that this is not possible because of subuid/subgid requirements.

cc @saschagrunert

Hmm, thanks for the dose of knowledge, I didn't know about the dynamic user.

However I believe that at first it would not work for containers with volume, correct?

I imagine that we would have many *IDs in the equation.

[saschagrunert]

Hm, maybe this feature could help us here:
containers/podman#7778

But would it be a problem to have this only for Podman?

No, but no other options are only supported by one backend at the moment. Ideally we'd only have options compatible with both.

I think this is a blocker for now.

[bryanasdev000]

Hm, maybe this feature could help us here:
containers/podman#7778

But would it be a problem to have this only for Podman?

No, but no other options are only supported by one backend at the moment. Ideally we'd only have options compatible with both.

I think this is a blocker for now.

I didn't understand in this case how it would look if I used two replicas of the same container, would they conflict with the volume's UID?

And I understood about the docker issue, it would be, at first, an exclusive feature of the podman.

I will run some tests with the rootless docker.

[bryanasdev000]

I think a service account for general management is also a possibility, for example, a podman and docker user.

[stale]

I marked this as stale due to inactivity. → More info

[bryanasdev000]

Up.

[stale]

I marked this as stale due to inactivity. → More info

[dzmitry-lahoda]

some scripts use docker as build system, so it would be fast track for nixification before going nix deep

[claes]

Related: #138423

[felixsanz]

it is not possible to just add an option like podmanUser: "1000:100"; and use that User inside systemd's generated service file? the podman run command will be executed by the user specified in that option