Support enabling idmap (or chown) globally

[klausenbusk]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

userns can be set to auto in containers.conf, which is very useful to transparently enable this feature. This causes issues with volume ownership, which can be fixed by using the idmap or chown (U) option when attaching the volume to the container. Unfortunately, the client (gitlab-runner in my case) must be modified to make passing these options possible.

It would be useful if idmap (or chown) could be enabled globally, so userns=auto can be used without requiring changes to the client.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

I could see doing idmapping for volumes since this is not destructive and time consuming. Where as chowning would hurt you on both. idmapping currently only works with root containers.

@giuseppe WDYT?

[giuseppe]

I think that having a global setting to override the default options for volumes could be helpful

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[giuseppe]

we have a :idmap option now. I am not sure whether it should be a global setting though, it is safer if it is specified for the individual mount. It should be used only when needed, e.g. volumes shared among different containers with different mappings, not a global setting (potentially a security issue since --userns=auto can then create files owned by root even if running in a user namespace)