Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shared mounts with UID/GID mapping #12154

Closed
freva opened this issue Nov 1, 2021 · 4 comments · Fixed by #12298
Closed

Shared mounts with UID/GID mapping #12154

freva opened this issue Nov 1, 2021 · 4 comments · Fixed by #12298
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@freva
Copy link

freva commented Nov 1, 2021

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

We are running multiple rootfull containers with --uidmap & --gidmap, each with disjoint ranges from other containers. Overtime the goal is to migrate to fully rootless containers and I think the issue also applies there.

The problem we want to solve is that we want to be able to mount the same directory into multiple containers and let each of them use it as if the owners are all within their namespace. I.e. the mount should have a thin layer that fakes UID/GID of the file owners for each container, but the actual files are not duplicated, I believe something similar is done with container image files when starting the container?

Ideally this would be an option to --volume, similar to U, but that does not modify the host filesystem.

Showcasing the wanted behavior with commands:

host $ ls -ln /data
total 0
drwxr-xr-x. 5 1000 1000 41 Sep 24 10:13 dir1
drwxr-xr-x. 5 1000 1000 63 Oct 29 17:45 dir2
sudo podman run -d --name container1 --net podman --uidmap 0:100000:65536 --gidmap 0:100000:65536 --entrypoint ls -v /data:/data:z centos:8 -ln /data
total 0
drwxr-xr-x. 5 1000 1000 41 Sep 24 10:13 dir1
drwxr-xr-x. 5 1000 1000 63 Oct 29 17:45 dir2
sudo podman run -d --name container2 --net podman --uidmap 0:200000:65536 --gidmap 0:100000:65536 --entrypoint ls -v /data:/data:z centos:8 -ln /data
total 0
drwxr-xr-x. 5 1000 1000 41 Sep 24 10:13 dir1
drwxr-xr-x. 5 1000 1000 63 Oct 29 17:45 dir2

The current behavior is that the ls in the container will show IDs 65534.

@openshift-ci openshift-ci bot added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 1, 2021
@rhatdan
Copy link
Member

rhatdan commented Nov 2, 2021

Potentially something like this could be done with the shifting file system, but we don't use that yet. @giuseppe WDYT?

@giuseppe
Copy link
Member

giuseppe commented Nov 9, 2021

yes, I think this can be achieved with idmapped mounts.

We will need to make it explicit though, with a new option -v /data:/data:M?

@giuseppe
Copy link
Member

giuseppe commented Nov 9, 2021

also, this should happen in the OCI runtime, which is currently not possible because the runtime-specs miss this feature

@giuseppe
Copy link
Member

giuseppe added a commit to giuseppe/libpod that referenced this issue Nov 18, 2021
pass down the "idmap" mount option to the OCI runtime.

Needs: containers/crun#780

Closes: containers#12154

[NO NEW TESTS NEEDED] there is no crun version yet that support the
new feature.

Test case (must run as root):

podman run --rm -v foo:/foo alpine touch /foo/bar

podman run --uidmap 0:1:1000 --rm -v foo:/foo:idmap alpine ls -l /foo
total 0
-rw-r--r--    1 root     root             0 Nov 15 14:01 bar

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/feature Categorizes issue or PR as related to a new feature. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants