Question:
How can I use podman to run a container as a non-root such that the root user inside the container is not mapped to the host user running the container?
Details
In podman, when running a container as non-root, the container root uid (0) is mapped to the host uid, whereas all other uids are mapped according to the /etc/subuid
file. E.g.:
$ grep $USER /etc/subuid
myuser:231072:65536
$ id
uid=1000(myuser) gid=1000(myuser) groups=1000(myuser)
$ podman run --rm -ti -v /tmp:/tmp --entrypoint='["/sbin/my_init", "--"]' \
> docker.io/phusion/baseimage:0.11 bash
[...]
*** Running bash...
root@e9f79e3fe659:/# touch /tmp/as_root
root@e9f79e3fe659:/# adduser --gecos '' --disabled-password inneruser
Adding user `inneruser' ...
Adding new group `inneruser' (1000) ...
Adding new user `inneruser' (1000) with group `inneruser' ...
Creating home directory `/home/inneruser' ...
Copying files from `/etc/skel' ...
root@e9f79e3fe659:/# setuser inneruser touch /tmp/as_inneruser
root@e9f79e3fe659:/# ls -n /tmp/as_root /tmp/as_inneruser
-rw-r--r-- 1 1000 1000 0 Oct 8 19:20 /tmp/as_inneruser
-rw-r--r-- 1 0 0 0 Oct 8 19:05 /tmp/as_root
root@e9f79e3fe659:/# exit
exit
*** bash exited with status 0.
[...]
*** Killing all processes...
$ ls -n /tmp/as_root /tmp/as_inneruser
-rw-r--r-- 1 232071 232071 0 out 8 16:20 /tmp/as_inneruser
-rw-r--r-- 1 1000 1000 0 out 8 16:05 /tmp/as_root
As can be seen above, the container root user was mapped to the uid of the host user running the container (i.e. 1000) so files created by root have myuser
's uid (i.e. 1000).
Whereas non-root users inside the container are mapped according to the subuid
mapping of the running user, i.e.: user inneruser
inside the container, with uid 1000, was mapped to uid 232071 (231072 + 1000) of the host machine.
Repeating the Question:
How can I use podman to run a container as a non-root such that the root user inside the container is not mapped to the host user running the container?
I tried passing --subuidname=myuser
to podman, i.e:
$ podman run --subuidname=myuser --rm -ti -v /tmp:/tmp --entrypoint='["/sbin/my_init", "--"]' \
> docker.io/phusion/baseimage:0.11 bash
But I get this message:
Error: error creating libpod runtime: there might not be enough IDs available in the namespace
(requested 231072:231072 for /home/myuser/.local/share/containers/storage/overlay/l):
chown /home/myuser/.local/share/containers/storage/overlay/l: invalid argument
I would have expected that passing the exact namespace assigned to my user would have the effect of mapping all container uids, including the container root (0) to the set of uids mapped to my user in /etc/subuid
.
Technical Details:
The .config/containers/storage.conf
file was changed from the vfs
driver to the overlay
driver using fuse-overlayfs
, i.e.:
[storage]
driver = "overlay"
runroot = "/run/user/1000"
graphroot = "/home/myuser/.local/share/containers/storage"
[storage.options]
size = ""
remap-uids = ""
remap-gids = ""
ignore_chown_errors = ""
remap-user = ""
remap-group = ""
ostree_repo = ""
skip_mount_home = ""
mount_program = "/home/myuser/bin/fuse-overlayfs"
Other than that, it's a standard podman version 1.5.1
installed on Ubuntu 18.04 using the official PPAs.