Use newuidmap to allow multiple ID mappings when running rootless #1403
Conversation
|
I think this is viable for using ranges > 1 in user namespaces with rootless containers (as long as it is optional). |
|
269/275 passed on RHEL - Failed. |
|
We pushed some more commits to avoid shelling out, and to ensure that tests pass on both Travis and Jenkins. The new flags we added are currently global, in a similar way to Maintainers, do you have any other thoughts? |
|
I don't really like this because it dilutes what "rootless containers" means by conflating "proper" rootless containers with containers that are started with privileged helpers -- this is one of the reasons that cgroups were punted on rather than going the LXC route and using their cgroup helpers. I'm wondering if there's some other way of implementing this integration that doesn't cause this dilution (I'd hope that you could do it with some additional hooks but I'm unsure how easy it would be to implement this). |
|
I'm going to review this more thoroughly though. |
|
Fwiw I don't think anything in this PR conflicts with the rootless use case any more than the fact runc already supports running as root as well as rootlessly conflicts with it. In the case where you have permissions (either because you're root or because you're doing a 1:1 mapping) no setuid binary is needed. This is just adding support for the OS-supported-and-secured newuidmap binary to allow a non-root user to be delegated the ability to use runc in a particular mapping range (via the standard /etc/subuids mechanism) without being given the generic ability to create containers for arbitrary uid ranges. Tbh given /etc/subuids / newuidmap etc are shipped by major OSes it seems pretty odd for runc not to support using them. |
Yeah, I understood as much. But this split in functionality is (IMO) harder to make obvious than the root-or-not-root modes. As I said though, I'll mess around with this some more.
Sure, but my view on those is soured by how Docker handled their user namespace story (we had to go through a bunch of pain to update |
|
@cyphar Any further thoughts on this? Appreciate you are extremely busy, such is the life of a maintainer 😆 |
|
Sorry for letting this stagnate. There are several bits from this PR that I like but several bits from #1529 that I like as well. I'll read through this PR again and then we'll carry over the nice parts into #1529. Does that sound okay @teddyking @williammartin? Again, sorry for not touching this for a while, my GitHub notifications are several pages long these days. I'm currently reworking my email setup so that I can more sanely handle GitHub notifications. |
- Remove check that we are mapping onl a single user
- Encode uid/gid mappings on a single line (so that they can be sent to
newuidmap/newgidmap)
- Call newuidmap/newgidmap instead of directly writing to
/proc/<pid>/{u,g}id_map
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
* Allows you to set the path to newuidmap and newgidmap binaries Signed-off-by: Ed King <eking@pivotal.io>
* No need to use the binaries if running as root Signed-off-by: Ed King <eking@pivotal.io>
Signed-off-by: Ed King <eking@pivotal.io>
Signed-off-by: Ed King <eking@pivotal.io>
Single-mapping rootless containers don't depend on newuidmap. Signed-off-by: Ed King <eking@pivotal.io>
Signed-off-by: Ed King <eking@pivotal.io> Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
Signed-off-by: Ed King <eking@pivotal.io>
c91a263 to
ae792d6
Compare
|
Thanks @teddyking and @williammartin (and everyone else) for your contributions! |
Opening this PR to start a discussion Re: multiple ID mappings for rootless containers.
The approach suggested here makes use of
newuidmapandnewgidmapbinaries in order to provide the desired functionality.We've been experimenting with this approach on the Cloud Foundry Garden team and after some initial testing it seems to provide what we're after.
A possible downside to this approach is that it introduces a dependency on external binaries. However the binaries are available on most major distros, and are only ever used when opted in to and in cases where runc would have failed anyway if the binaries were not available.
Any feedback appreciated.
Cheers,
Ed