Proof-of-concept: set up necessary idmappings for userns_mode=auto in Container.create()#499
Proof-of-concept: set up necessary idmappings for userns_mode=auto in Container.create()#499vmsh0 wants to merge 1 commit into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vmsh0 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
@giuseppe PTAL |
|
would you be interested to try to fix it in Podman? If you are not interested/familiar with the project or language, then it is fine to fix it here |
I would be interested in attempting that :) I am not a Go programmer by trade, but I am probably familiar enough with it for this particular fix. I have successfully built podman yesterday, now I'm trying to get the tests to run. Can I bother you (or someone else) if I can't get the tests to run? What is the preferred channel, GitHub or something more ephemeral (e.g., IRC)? |
There was a problem hiding this comment.
@vmsh0 maybe late to the party, but here are the comms channels :) https://github.com/containers/podman/blob/main/README.md#communications
|
Hi, sorry for reviving this after a year. I have twice attempted to allocate some time last year to get podman to compile and try to get this fixed, but this is just not fitting in in my life at the moment. Would the project still be interested in the Python workaround? |
… Container.create() This is a proof-of-concept commit to gather initial feedback Signed-off-by: Riccardo Paolo Bestetti <pbl@bestov.io>
vmsh0
force-pushed
the
container-userns
branch
from
bdd5b88 to
594c123
Compare
| if "userns_mode" in args: | ||
| params["userns"] = normalize_nsmode(args.pop("userns_mode")) | ||
|
|
||
| # proof-of-concept |
There was a problem hiding this comment.
Yep. So far this patch is just a workaround I have deployed in my software to make things work, but if it is something that you would include in the library I'll clean it up and perhaps see about adding tests
There was a problem hiding this comment.
There was a problem hiding this comment.
they are only linting errors. @vmsh0
diff --git a/podman/domain/containers_create.py b/podman/domain/containers_create.py
index 066902c..308549d 100644
--- a/podman/domain/containers_create.py
+++ b/podman/domain/containers_create.py
@@ -847,7 +847,9 @@ class CreateMixin: # pylint: disable=too-few-public-methods
default_idmappings = {
"AutoUserNs": False if params["userns"]["nsmode"] != "auto" else True,
- "AutoUserNsOpts": None if params["userns"]["nsmode"] != "auto" else {
+ "AutoUserNsOpts": None
+ if params["userns"]["nsmode"] != "auto"
+ else {
"AdditionalUIDMappings": None,
"AdditionalGIDMappings": None,
"PasswdFile": "",please reformat and change the subject line to < 72 characters so all linters are happy :)
There was a problem hiding this comment.
also, my two cents: I am ok with the workaround with an open issue in Podman that cross-references the change in the code. @vmsh0 I am active on podman-py, so if you need help working on both repos feel free to tag me around or in our matrix channel and I'll be happy to help
There was a problem hiding this comment.
@vmsh0 I can live with the work-around if you add more detail on why we are doing it and under what conditions it should be removed.
Here, in the code, or somewhere else?
By the way, today I have validated that the workaround is still needed in recent Podman, as last year when I discovered this I was running Podman 4.
As for testing, more the better. :-)
👍
also, my two cents: I am ok with the workaround with an open issue in Podman that cross-references the change in the code. @vmsh0 I am active on podman-py, so if you need help working on both repos feel free to tag me around or in our matrix channel and I'll be happy to help
The best case scenario for me would be if you could provide some support in getting podman to compile so I can still try to fix it there. But if that's too much, I would still appreciate your guidance in getting this patch ready for podman-py instead
There was a problem hiding this comment.
Uh. I tried to build latest Podman, and this time it looks like I have succeeded without any hiccups. Could also reproduce the issue there. Let me look into this a bit more, and I'll find you on Matrix if I need help.
Thank you!
5 participants
This is a proof-of-concept commit to gather initial feedback.
This addresses the issue in #493, i.e., that passing
userns='auto'to Container.create() results in the option being silently ignored.Before this patch,
podman-pyused to set up theusernsAPI parameter when theusernsparameter was given to Container.create(). However, upon investigation, it seems like the Podman service silently ignores the passedusernsif parameteridmappingsis missing.This patch addresses this behaviour by setting up
idmappingswith neutral values (i.e., the values resulting in the same behaviour as the Podman client when called with --userns=auto without more specific options), while specifically retaining any explicit values passed by the user using the undocumented argumentidmappings.I am looking for some feedback about this PR:
merge_dicts()function? Or would it be better altogether to merge the relatively small structure manually and avoid adding that function altogether?podman-py. In your view, what would be a good collection of integration tests for this PR/feature? At a minimum, I will be contributing one integration test which checks that passing theuserns='auto'results in a container with a private user namespace, with IDs not overlapping with the initial namespace, as that is my use case