Page MenuHomeVyOS Platform

Rootless containers/set uid/gid for container
Closed, ResolvedPublicFEATURE REQUEST

Description

Some containers run as root or as arbitrary and non-settable UIDs, which makes aligning file permission a problem between them. Having the ability to append the --user flag to podman would help a lot in this

Details

Version
-
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)

Event Timeline

Unknown Object (User) subscribed.Jan 17 2024, 3:15 PM

Which user are you expecting? Hows to check from which user container was started?
Any idea for CLI?

Could describe the steps to reproduce when it started from the root and not the root?

vyos@r4# run show conf com | match c1
set container name c1 allow-host-networks
set container name c1 image 'alpine'
[edit]
vyos@r4# 
[edit]
vyos@r4# sudo podman container inspect c1 | match "user|UID"
          "ResolvConfPath": "/var/run/containers/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/resolv.conf",
          "HostnamePath": "/var/run/containers/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/hostname",
          "HostsPath": "/var/run/containers/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/hosts",
          "StaticDir": "/usr/lib/live/mount/persistence/container/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata",
          "OCIConfigPath": "/usr/lib/live/mount/persistence/container/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/config.json",
          "PidFile": "/var/run/containers/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/pidfile",
               "CAP_SETUID",
               "CAP_SETUID",
[edit]
vyos@r4#

@Viacheslav

What are you expecting

This should pretty much explain it

vyos@gateway:~$ sudo podman run -it debian:latest /bin/bash
root@d61ed36cd633:/# id
uid=0(root) gid=0(root) groups=0(root)
exit
vyos@gateway:~$ sudo podman run -it --user 1000:100 debian:latest /bin/bash
radius_user@814a04aa75a3:/$ id
uid=1000(radius_user) gid=100(users) groups=100(users)

Hows to check from which user container was started?

I don't quite understand that question, could you elaborate?

Any idea for CLI?

set container name haproxy uid <UID>
set container name haproxy gid <GID>
Viacheslav triaged this task as Normal priority.Jan 20 2024, 2:11 AM
Viacheslav assigned this task to anonuser35hww45.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.