Skip to content

Reduce required namespace mapping via manually generated user#10

Closed
lethedata wants to merge 1 commit intodockur:masterfrom
lethedata:GUDmapping
Closed

Reduce required namespace mapping via manually generated user#10
lethedata wants to merge 1 commit intodockur:masterfrom
lethedata:GUDmapping

Conversation

@lethedata
Copy link
Copy Markdown

@lethedata lethedata commented Nov 21, 2024
edited
Loading

Replace apk tor user with generated toranan user and group to reduce required namespace mapping from full 65535 range to 102 range. UID 100 is used to match original tor UID while GID 101 is used to avoid existing group.

@lethedata
Copy link
Copy Markdown
Author

lethedata commented Nov 21, 2024

Ran into issues reopening PR #9 after rebasing on recent version hence the new PR

@lethedata lethedata changed the title Replace apk tor user with manually generated user Reduce required namespace mapping via manually generated user Nov 21, 2024
@lethedata
Replace apk tor user with manually generated user
f2ccb14 
Replace apk tor user with generated toranan user and group to reduce required namespace mapping from 65535 to 102. UID 100 is used to match original tor UID while GID 101 is used to avoid existing group.
@kroese
Copy link
Copy Markdown
Contributor

kroese commented Mar 18, 2025

It would be nice if you first explained a bit why the namespace mapping has to be reduced? What advantage does it bring?

@lethedata
Copy link
Copy Markdown
Author

lethedata commented Mar 18, 2025

No longer needed due to Alpine tor package adding group creation to pre-install via commit c0113e27

@lethedata lethedata closed this Mar 18, 2025
@lethedata
Copy link
Copy Markdown
Author

lethedata commented Mar 18, 2025

It would be nice if you first explained a bit why the namespace mapping has to be reduced? What advantage does it bring?

Although no longer needed, here's the answer to your question:

tldr: normal subid/subgid range is 66536 and this container defaulted to basically needing the full range (65534), even tho it technically didn't need it. The high range was caused due to the tor user being in the nogroup group. This meant the the default subid/subgid had to be adjusted to run with other containers.

When isolating containers with the userns flags, podman/docker takes the range of uid/gids needed by a container and remaps it to a subordinate range. The subordinate range is set through the /etc/subid and /etc/subgid files. A common subid/subgid (and also seems to be the recommended minimum) range to set for a user is 66536. This is basically one full 16-bit Linux UID range. Docker and Podman containers only map to a subrange that the containers needs, not the entire 16-bit space. Normally means that multiple containers could run at once without needing to adjust the default ranges however, before the package was updated, this container basically needed the entire range. This was due to the tor user being in the nogroup which is set all the way at 65533. So rather than just needing a range of 102 (0-101), it needed a range of 65534 (0-65533).

A better explanation of docker container isolation:
https://docs.docker.com/engine/security/userns-remap/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lethedata @kroese