• 0 Posts
  • 1 Comment
Joined 2 years ago
cake
Cake day: June 10th, 2023

help-circle
  • This is a consequence of user namespaces, which tripped me up until I read this article from Red Hat about running rootless containers as a non-root user. At that point I got that (the default options) map UID 0 in the container to my UID (i.e. 1000), but the other mappings were confusing.

    The short version of the useful part (for me) of that article was podman unshare (man podman-unshare), which launches a shell in a user namespace, like when you start a container. You can run the following command to see how the UIDs are mapped inside of the namespace:

    $ podman unshare cat /proc/self/uid_map
             0       1000          1
             1     100000      65536
    

    This is read (for this purpose, see man user_namespaces for a more detailed explanation of this) as “inside this namespace, the UIDs in column 1 map to the UID in column 2 on the caller process, for (column 3) IDs”. There is also gid_map which works the same way, but for groups.

    The snippet above is from my machine, so in a podman container, UID 0 maps to UID 1000 on the “host”, which is me, and this is “good” for only 1 user. Then, starting with UID 1, the container maps to UID 100000 in the container, and is good for 65536 UIDs. This is why when you set the PUID and GUID environment variables, on your filesystem you see the files are owned by 100999:100999 - you can use the mapping to figure the math out: 100000+1000-1=100999.

    Since podman unshare puts you in a shell that has the same (? terminology might not be totally right here) user namesapce as your containers, you can use it for lots of stuff – like in your comment you mentioned using chown to change the permissions to 100999:100999. Instead, you could have used podman unshare chown 1000:1000 which have correctly set the permissions for your volume mount, and on your filesystem outside the container, the permissions would be 100999:100999.