Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add use rootless page #93

Merged
merged 3 commits into from
May 13, 2023
Merged

Add use rootless page #93

merged 3 commits into from
May 13, 2023

Conversation

zeehio
Copy link
Contributor

@zeehio zeehio commented Apr 25, 2023

Tagging @cboettig since he suggested me to write something here

I have a solution for running the container rootless:

There are many advantages on rootless containers, the main one being security.

The main caveat with rootless containers is when we want to map additional groups to the container (for instance when we have an additional group that owns a "shared_data" directory we want to access). In that case, we still need to learn quite a bit about id mapping. I've done my best to explain how things work and to provide a step by step guide in this pull request.

Hopefully this will eventually be simplified. It may be that I have overlooked something

I guess we can wait some days to see how the issue evolves. It may be that I've missed something and my solution is overly complicated or that some feature needs to land in podman to simplify additional group management.

English is not my primary language. I would appreciate feedback or change in wordings.

Besides I've been writing this for too long. I may need to take some time to get some perspective and re-read it again, but I believe it is worth a first read.

Copy link
Member

@eitsupi eitsupi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contributing!

Linter seems blaming on some white spaces.

use/rootless.md Outdated Show resolved Hide resolved
use/rootless.md Outdated Show resolved Hide resolved
Co-authored-by: eitsupi <50911393+eitsupi@users.noreply.github.com>
@eitsupi eitsupi requested a review from cboettig April 25, 2023 16:04
@cboettig
Copy link
Member

Thanks for doing this @zeehio, we appreciate the contribution.

I'll leave this open while we resolve the discussion over at rocker-org/rocker-versioned2#636. Thanks for the link to containers/podman#18333, I don't follow the details there but seems to have momentum so we can see what comes out of that as well. @agila5 @hute37 or others using rootless docker -- your thoughts are welcome on these docs as well!

@hute37
Copy link

hute37 commented Apr 26, 2023

Just a note ...

Now I'm busy configuring a working rootless podman setup with full CUDA support.

I'm interested in CRAN keras setup in pyenv/poetry tensorflow environment.

Some references here:

@hute37
Copy link

hute37 commented Apr 26, 2023

In the original issue:

There is some comment useful for documentation about process/filesystem uid/gid mapping

@eitsupi
Copy link
Member

eitsupi commented May 13, 2023

@hute37 Thanks for comments!

It seems that the issues you linked to still exist, but I have merged rocker-org/rocker-versioned2#636 and would like to merge this PR and see what happens.
Please let me know if there are any problems.

@eitsupi eitsupi merged commit e59c051 into rocker-org:master May 13, 2023
@zeehio
Copy link
Contributor Author

zeehio commented May 30, 2023

Just to give you an update on this issue.

It may be that podman reviewers do not like my implementation, or that it does not get enough attention to make it to the end. But I'll do my best.

This is my ideal roadmap, with checks where "it's done":

The simpler instructions will be:

# Get the group id you want to use inside the container:
$ getent group mygroup
mygroup:x:2000:youruser1,user2,user3
# The group id for mygroup is 2000

# Subordinate that group to your user: (just once)
$ sudo usermod --add-subgids "2000-2000" $USER

# Run podman:
$ podman run  \
  --rm  \
  -v /shared_dir:/shared_dir \
  --group-add keep-groups \
  --gidmap "+g102000:@2000" \
  rocker/rstudio

@hute37
Copy link

hute37 commented May 30, 2023

I read the page, It looks good.


About group data sharing

I'm not and expert here, but maybe Podman Volumes could provide a more natural support.

In labs, where I can freely manage user accounts, I tried a different approach, setting data group as "primary" group and swapping default group (same name as userid) as an alternate user group.
Homes are kept with user:user ownership and 750 mode


About documentation,
please consider adding a "References" section with links to external resources:

For default podman group membership mapping:

Dan Walsh's Blog:

For CUDA support:

eitsupi added a commit that referenced this pull request Oct 9, 2023
This PR has a balance of 117 additions and 209 deletions.

Six months ago I wrote an article about using rocker in rootless
containers.
- #93

Some settings were complicated due to limitations in the `--gidmap`
syntax exposed by Podman.

As discussed there, I ended up contributing syntax enhancements to
Podman.

This PR simplifies the explanations of the rootless page in the website,
using the lessons learned while working on Podman. It also focuses on
the `how it works` instead of the `why it works`, now that the syntax
improvements make options more natural.

It preserves instructions for earlier podman versions, although
upgrading is encouraged.

---------

Co-authored-by: eitsupi <50911393+eitsupi@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants