I ditched Docker for Podman

(codesmash.dev)

1101 points codesmash | 1 comments | 05 Sep 25 11:56 UTC | HN request time: 0.2s | source

Show context

diarrhea ◴[05 Sep 25 12:58 UTC] No.45138006[source]▶

One challenge I have come across is mapping multi-UID containers to a single host user.

By default, root in the container maps to the user running the podman container on the host. Over the years, applications have adopted patterns where containers run as non-root users, for example www-data aka UID 33 (Debian) or just 1000. Those no longer map to your own user on the host, but subordinate IDs. I wish there was an easy way to just say "ALL container UIDs map to single host user". The uidmap and userns options did not work for me (crun has failed executing those containers).

I don’t see the use case for mapping to subordinate IDs. It means those files are orphaned on the host and do not belong to anyone, when used via volume mapping?

replies(4): >>45138211 #>>45138320 #>>45138442 #>>45138632 #

privatelypublic ◴[05 Sep 25 13:39 UTC] No.45138442[source]▶

>>45138006 #

Have you looked at idmapped mounts? I don't think it'll fix everything (only handles FS remapping, not kernel calls that are user permissioned)

replies(1): >>45139568 #

1. diarrhea ◴[05 Sep 25 15:17 UTC] No.45139568[source]▶

>>45138442 #

I have not, thanks for the suggestion though.

A second challenge with the particular setup I’m trying is peer authentication with Postgres, running bare metal on the host. I mount the Unix socket into the container, and on the host Postgres sees the Podman user and permits access to the corresponding DB.

Works really well but only if the container user is root so maps natively. I ended up patching the container image which was the path of least resistance.

↑