Page MenuHomeVyOS Platform
Create Task
Maniphest T5955

Rootless containers/set uid/gid for container
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Some containers run as root or as arbitrary and non-settable UIDs, which makes aligning file permission a problem between them. Having the ability to append the --user flag to podman would help a lot in this

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)

Event Timeline

anonuser35hww45 created this task.Jan 17 2024, 3:11 PM
samip537 added a subscriber: samip537.Jan 17 2024, 3:15 PM
pasik added a subscriber: pasik.Jan 17 2024, 3:44 PM
Viacheslav added a subscriber: Viacheslav.Jan 17 2024, 4:11 PM

Which user are you expecting? Hows to check from which user container was started?
Any idea for CLI?

Could describe the steps to reproduce when it started from the root and not the root?

vyos@r4# run show conf com | match c1
set container name c1 allow-host-networks
set container name c1 image 'alpine'
[edit]
vyos@r4# 
[edit]
vyos@r4# sudo podman container inspect c1 | match "user|UID"
          "ResolvConfPath": "/var/run/containers/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/resolv.conf",
          "HostnamePath": "/var/run/containers/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/hostname",
          "HostsPath": "/var/run/containers/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/hosts",
          "StaticDir": "/usr/lib/live/mount/persistence/container/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata",
          "OCIConfigPath": "/usr/lib/live/mount/persistence/container/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/config.json",
          "PidFile": "/var/run/containers/storage/overlay-containers/8dbbc8ae1ffccb907edcd2e955515f8913a3e7d00bd1d50c158b0e17bb9d89d5/userdata/pidfile",
               "CAP_SETUID",
               "CAP_SETUID",
[edit]
vyos@r4#
anonuser35hww45 added a comment.EditedJan 18 2024, 2:15 PM

@Viacheslav

What are you expecting

This should pretty much explain it

vyos@gateway:~$ sudo podman run -it debian:latest /bin/bash
root@d61ed36cd633:/# id
uid=0(root) gid=0(root) groups=0(root)
exit
vyos@gateway:~$ sudo podman run -it --user 1000:100 debian:latest /bin/bash
radius_user@814a04aa75a3:/$ id
uid=1000(radius_user) gid=100(users) groups=100(users)

Hows to check from which user container was started?

I don't quite understand that question, could you elaborate?

Any idea for CLI?

set container name haproxy uid <UID>
set container name haproxy gid <GID>
Viacheslav triaged this task as Normal priority.Jan 20 2024, 2:11 AM
anonuser35hww45 added a comment.Feb 1 2024, 10:09 PM

PR: https://github.com/vyos/vyos-1x/pull/2927

Viacheslav closed this task as Resolved.Feb 2 2024, 9:20 AM
Viacheslav assigned this task to anonuser35hww45.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
anonuser35hww45 added a comment.Feb 2 2024, 9:43 AM

Documentation PR: https://github.com/vyos/vyos-documentation/pull/1261