Skip to content

docs: clarify that --userns=keep-id runs container as host UID #27160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 25, 2025
Merged

docs: clarify that --userns=keep-id runs container as host UID #27160

merged 1 commit into from
Sep 25, 2025

Conversation

@dnlzro
Copy link
Contributor

@dnlzro dnlzro commented Sep 24, 2025
edited
Loading

Description

Currently, the docs state that the --userns=keep-id option maps the rootless user's UID/GID to the same values inside the container, but they don’t make explicit that the container's init process itself runs as that mapped UID/GID.

This behaviour has caused some confusion (see #24934). In practice:

  • Without --userns=keep-id, rootless containers default to running as root inside the container (mapped to the host UID externally).
  • With --userns=keep-id, the init process runs as the host UID/GID inside the container, overriding the image’s USER instruction unless --user is explicitly set.

This PR updates the documentation to make that behaviour clear.

Does this PR introduce a user-facing change?

None

@dnlzro
docs: clarify that --userns=keep-id runs container as host UID
4652f5c 
Fixes: containers#24934

Signed-off-by: Daniel Lazaro <git@dlazaro.ca>
@openshift-ci openshift-ci bot added the do-not-merge/release-note-label-needed Enforce release-note requirement, even if just None label Sep 24, 2025
Honny1
Honny1 approved these changes Sep 25, 2025
View reviewed changes
Copy link
Member

@Honny1 Honny1 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM.

/LGTM

Please add to the PR description:

```release-note
None
```

@openshift-ci openshift-ci bot added release-note-none and removed do-not-merge/release-note-label-needed Enforce release-note requirement, even if just None labels Sep 25, 2025
@dnlzro
Copy link
Contributor Author

dnlzro commented Sep 25, 2025

/assign @giuseppe

giuseppe
giuseppe approved these changes Sep 25, 2025
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 25, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Sep 25, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dnlzro, giuseppe, Honny1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 25, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit af65d46 into containers:main Sep 25, 2025
40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@giuseppe giuseppe giuseppe approved these changes

@Honny1 Honny1 Honny1 approved these changes

Assignees

@giuseppe giuseppe

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note-none

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dnlzro @giuseppe @Honny1