opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-07-25 09:05:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

quadlet: Rework uid/gid remapping

Browse Source 
Quadlet was doing some custom handling of uid/gid remapping, originating
from pre --userns=auto support, including its own user for getting subuids
which kinda conflicts with the "container" user used for that.

This drops all the old support for id remapping in favour of a new set
of keys that more directly map to the podman run options.

We have essentially 3 modes now:

```
RemapUsers=manual
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10
```

This maps to --uidmap and --gidmap options.

```
RemapUsers=auto
```

This maps to --userns=auto. But you can additionally specify RemapUid,
RemapGid and RemapUidSize which gets applied as options to the
--userns podman option.

```
RemapUsers=keep-id
```
This maps to --userns=keep-id and only works for user units.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
This commit is contained in:
Alexander Larsson
2022-11-21 17:12:37 +01:00
parent 3f76f29adb
commit 285d6c9ba0
17 changed files with 116 additions and 915 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
podman.spec.rpkg
View File

@ -193,7 +193,7 @@ export BUILDTAGS="$BASEBUILDTAGS exclude_graphdriver_btrfs btrfs_noversion remot
%gobuild -o bin/%{name}-remote ./cmd/%{name}
# build quadlet
export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) -X $(PROJECT)/v4/pkg/quadlet.QuadletUserName=quadlet"
export BUILDTAGS="$BASEBUILDTAGS $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh)"
%gobuild -o bin/quadlet ./cmd/quadlet
make docs docker-docs
@ -221,17 +221,6 @@ for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},,
echo "$file*" >> podman.file-list
done
%pre quadlet
# We create a quadlet user so that we can get subuids and subgids allocated.
# It really is a system user, but Unfortunately useradd doesn't create subuids
# for system users, so we manually make it system-like and start at a higher
# min uid to avoid conflicts with common uid nrs around 1000
getent passwd quadlet >/dev/null || \
useradd -M -U -K SUB_UID_COUNT=65536 -K UID_MIN=50000 \
-s /sbin/nologin -d /nonexisting \
-c "User for quadlet" quadlet
exit 0
# This lists all the files that are included in the rpm package and that
# are going to be installed into target system where the rpm is installed.
%files -f %{name}.file-list