←back to thread

I ditched Docker for Podman

(codesmash.dev)
1101 points codesmash | 6 comments | 05 Sep 25 11:56 UTC | HN request time: 0.535s | source | bottom
1. diarrhea ◴[05 Sep 25 12:58 UTC] No.45138006[source]
One challenge I have come across is mapping multi-UID containers to a single host user.

By default, root in the container maps to the user running the podman container on the host. Over the years, applications have adopted patterns where containers run as non-root users, for example www-data aka UID 33 (Debian) or just 1000. Those no longer map to your own user on the host, but subordinate IDs. I wish there was an easy way to just say "ALL container UIDs map to single host user". The uidmap and userns options did not work for me (crun has failed executing those containers).

I don’t see the use case for mapping to subordinate IDs. It means those files are orphaned on the host and do not belong to anyone, when used via volume mapping?

replies(4): >>45138211 #>>45138320 #>>45138442 #>>45138632 #
2. mixedbit ◴[05 Sep 25 13:17 UTC] No.45138211[source]
If I understand things correctly, this is Linux namespaces limitation, so tools like Docker or Podman will not be able to support such mapping without support from Linux. But I'm afraid the requirement for UIDs to be mapped 1:1 is fundamental, otherwise, say two container users 1000 and 0 are mapped to the same host user 1000. Who then should be displayed in the container as the owner of a file that is owned by the user 1000 on a host?
3. teekert ◴[05 Sep 25 13:27 UTC] No.45138320[source]
This. And then some way to just be “yourself” in the container as well. So logs just show “you”.
4. privatelypublic ◴[05 Sep 25 13:39 UTC] No.45138442[source]
Have you looked at idmapped mounts? I don't think it'll fix everything (only handles FS remapping, not kernel calls that are user permissioned)
replies(1): >>45139568 #
5. lights0123 ◴[05 Sep 25 13:55 UTC] No.45138632[source]
ignore_chown_errors will allow mapping root to your user ID without any other mappings required.
6. diarrhea ◴[05 Sep 25 15:17 UTC] No.45139568[source]
I have not, thanks for the suggestion though.

A second challenge with the particular setup I’m trying is peer authentication with Postgres, running bare metal on the host. I mount the Unix socket into the container, and on the host Postgres sees the Podman user and permits access to the corresponding DB.

Works really well but only if the container user is root so maps natively. I ended up patching the container image which was the path of least resistance.