Closed
Description
Issue Description
I'm seeing the wrong UID on the output of podman compose top. I'm running rootless podman with rootless users inside the containers, but under my user ns (keepid). The container user with UID 1000 in this case is called nonroot and my host uesr is samuel.
I'm new to podman so I have a lot to learn, let me know if this issue should be better on the docker-compose side.
Steps to reproduce the issue
- Have a running compose environment with PODMAN_USERNS=keep-id-
- Check the output of podman top, podman compose top, and host ps.
Describe the results you received
Podman top output (UID's inside the container:
afy-backend(AFY-512-big-refactor)$ podman top afy-backend-app-1
USER PID PPID %CPU ELAPSED TTY TIME COMMAND
nonroot 1 0 0.000 19m29.040208648s ? 0s /bin/sh /app/./scripts/runserver.dev.sh
nonroot 20 1 0.086 19m20.040264425s ? 1s python3 manage.py runserver 0.0.0.0:8000
nonroot 28 20 1.726 19m19.04029244s ? 20s /opt/venv/bin/python3 manage.py runserver 0.0.0.0:8000Podman compose output (IT SHOWS ROOT!)
afy-backend(AFY-512-big-refactor)$ podman compose top app
>>>> Executing external compose provider "/usr/bin/docker-compose". Please refer to the documentation for details. <<<<
afy-backend-app-1
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 16:42 ? 00:00:00 /bin/sh /app/./scripts/runserver.dev.sh
root 20 1 0 16:42 ? 00:00:01 python3 manage.py runserver 0.0.0.0:8000
root 28 20 1 16:42 ? 00:00:20 /opt/venv/bin/python3 manage.py runserver 0.0.0.0:8000
From the host perspective, the process show UID 1000
afy-backend(AFY-512-big-refactor)$ DID=$(docker inspect -f '{{.State.Pid}}' afy-backend-app-1); ps --ppid $DID -o user,uid,gid,pid,ppid,cmd
USER UID GID PID PPID CMD
samuel 1000 1000 25018 24067 python3 manage.py runserver 0.0.0.0:8000
afy-backend(AFY-512-big-refactor)$
Describe the results you expected
I expected the UID shown in podman compose top to be 1000, as inside the containers and on the host.
podman info output
host:
arch: amd64
buildahVersion: 1.33.7
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.10-1.fc39.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.10, commit: '
cpuUtilization:
idlePercent: 98.23
systemPercent: 0.5
userPercent: 1.27
cpus: 8
databaseBackend: sqlite
distribution:
distribution: fedora
variant: workstation
version: "39"
eventLogger: journald
freeLocks: 2022
hostname: e14fedora
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.7.11-200.fc39.x86_64
linkmode: dynamic
logDriver: journald
memFree: 9848229888
memTotal: 16449613824
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.10.0-1.fc39.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.10.0
package: netavark-1.10.3-1.fc39.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.10.3
ociRuntime:
name: crun
package: crun-1.14.4-1.fc39.x86_64
path: /usr/bin/crun
version: |-
crun version 1.14.4
commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20240220.g1e6f92b-1.fc39.x86_64
version: |
pasta 0^20240220.g1e6f92b-1.fc39.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.2-1.fc39.x86_64
version: |-
slirp4netns version 1.2.2
commit: 0ee2d87523e906518d34a6b423271e4826f71faf
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 8589930496
swapTotal: 8589930496
uptime: 0h 60m 48.00s
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /home/samuel/.config/containers/storage.conf
containerStore:
number: 11
paused: 0
running: 6
stopped: 5
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/samuel/.local/share/containers/storage
graphRootAllocated: 240423796736
graphRootUsed: 58886856704
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 53
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/samuel/.local/share/containers/storage/volumes
version:
APIVersion: 4.9.4
Built: 1711445992
BuiltTime: Tue Mar 26 06:39:52 2024
GitCommit: ""
GoVersion: go1.21.8
Os: linux
OsArch: linux/amd64
Version: 4.9.4Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
I'm on Fedora 39.
Additional information
No response