←back to thread

I ditched Docker for Podman

(codesmash.dev)
1101 points codesmash | 1 comments | 05 Sep 25 11:56 UTC | HN request time: 0.403s | source
Show context
diarrhea ◴[05 Sep 25 12:58 UTC] No.45138006[source]
One challenge I have come across is mapping multi-UID containers to a single host user.

By default, root in the container maps to the user running the podman container on the host. Over the years, applications have adopted patterns where containers run as non-root users, for example www-data aka UID 33 (Debian) or just 1000. Those no longer map to your own user on the host, but subordinate IDs. I wish there was an easy way to just say "ALL container UIDs map to single host user". The uidmap and userns options did not work for me (crun has failed executing those containers).

I don’t see the use case for mapping to subordinate IDs. It means those files are orphaned on the host and do not belong to anyone, when used via volume mapping?

replies(4): >>45138211 #>>45138320 #>>45138442 #>>45138632 #
1. mixedbit ◴[05 Sep 25 13:17 UTC] No.45138211[source]
If I understand things correctly, this is Linux namespaces limitation, so tools like Docker or Podman will not be able to support such mapping without support from Linux. But I'm afraid the requirement for UIDs to be mapped 1:1 is fundamental, otherwise, say two container users 1000 and 0 are mapped to the same host user 1000. Who then should be displayed in the container as the owner of a file that is owned by the user 1000 on a host?