opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-12-02 11:08:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

quadlet: Rework uid/gid remapping

Browse Source 
Quadlet was doing some custom handling of uid/gid remapping, originating
from pre --userns=auto support, including its own user for getting subuids
which kinda conflicts with the "container" user used for that.

This drops all the old support for id remapping in favour of a new set
of keys that more directly map to the podman run options.

We have essentially 3 modes now:

```
RemapUsers=manual
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10
```

This maps to --uidmap and --gidmap options.

```
RemapUsers=auto
```

This maps to --userns=auto. But you can additionally specify RemapUid,
RemapGid and RemapUidSize which gets applied as options to the
--userns podman option.

```
RemapUsers=keep-id
```
This maps to --userns=keep-id and only works for user units.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
This commit is contained in:
Alexander Larsson
2022-11-21 17:12:37 +01:00
parent 3f76f29adb
commit 285d6c9ba0
17 changed files with 116 additions and 915 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
test/e2e/quadlet/noremapuser.container
View File

@@ -1,6 +0,0 @@
## !assert-podman-args --uidmap
## !assert-podman-args --gidmap
[Container]
Image=localhost/imagename
RemapUsers=no

28
test/e2e/quadlet/noremapuser2.container
View File

@@ -1,28 +0,0 @@
# This is an non-user-remapped container, but the user is mapped (uid
# 1000 in container is uid 90 on host). This means the result should
# map those particular ids to each other, but map all other container
# ids to the same as the host.
# There is some additional complexity, as the host uid (90) that the
# container uid is mapped to can't also be mapped to itself, as ids
# can only be mapped once, so it has to be unmapped.
## assert-podman-args --user 1000:1001
## assert-podman-args --uidmap 0:0:90
## assert-podman-args --uidmap 91:91:909
## assert-podman-args --uidmap 1000:90:1
## assert-podman-args --uidmap 1001:1001:4294966294
## assert-podman-args --gidmap 0:0:91
## assert-podman-args --gidmap 92:92:909
## assert-podman-args --gidmap 1001:91:1
## assert-podman-args --gidmap 1002:1002:4294966293
[Container]
Image=localhost/imagename
RemapUsers=no
User=1000
Group=1001
HostUser=90
HostGroup=91

5
test/e2e/quadlet/remap-auto.container Normal file
View File

@@ -0,0 +1,5 @@
## assert-podman-args --userns=auto
[Container]
Image=localhost/imagename
RemapUsers=auto

10
test/e2e/quadlet/remap-auto2.container Normal file
View File

@@ -0,0 +1,10 @@
## assert-podman-args "--userns=auto:uidmapping=0:10000:10,uidmapping=10:20000:10,gidmapping=0:10000:10,gidmapping=10:20000:10,size=20"
[Container]
Image=localhost/imagename
RemapUsers=auto
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10
RemapUidSize=20

12
test/e2e/quadlet/remap-manual.container Normal file
View File

@@ -0,0 +1,12 @@
## assert-podman-args "--uidmap=0:10000:10"
## assert-podman-args "--uidmap=10:20000:10"
## assert-podman-args "--gidmap=0:10000:10"
## assert-podman-args "--gidmap=10:20000:10"
[Container]
Image=localhost/imagename
RemapUsers=manual
RemapUid=0:10000:10
RemapUid=10:20000:10
RemapGid=0:10000:10
RemapGid=10:20000:10

24
test/e2e/quadlet/user-host.container
View File

@@ -1,24 +0,0 @@
## assert-podman-args --user 1000:1001
## assert-podman-args --uidmap 0:0:1
## assert-podman-args --uidmap 1:100000:999
## assert-podman-args --uidmap 1000:900:1
## assert-podman-args --uidmap 1001:100999:99001
## assert-podman-args --gidmap 0:0:1
## assert-podman-args --gidmap 1:100000:1000
## assert-podman-args --gidmap 1001:901:1
## assert-podman-args --gidmap 1002:101000:99000
[Container]
Image=localhost/imagename
User=1000
HostUser=900
Group=1001
HostGroup=901
RemapUsers=yes
# Set this to get well-known valuse for the checks
RemapUidRanges=100000-199999
RemapGidRanges=100000-199999

26
test/e2e/quadlet/user-root1.container
View File

@@ -1,26 +0,0 @@
## assert-podman-args --user 1000:1001
## assert-podman-args --uidmap 0:100000:1000
## assert-podman-args --uidmap 1000:0:1
## assert-podman-args --uidmap 1001:101000:99000
## !assert-podman-args --uidmap 0:0:1
## assert-podman-args --gidmap 0:100000:1001
## assert-podman-args --gidmap 1001:0:1
## assert-podman-args --gidmap 1002:101001:98999
## !assert-podman-args --gidmap 0:0:1
# Map container uid 1000 to host root
# This means container root must map to something else
[Container]
Image=localhost/imagename
User=1000
# Also test name parsing
HostUser=root
Group=1001
HostGroup=0
RemapUsers=yes
# Set this to get well-known valuse for the checks
RemapUidRanges=100000-199999
RemapGidRanges=100000-199999

22
test/e2e/quadlet/user-root2.container
View File

@@ -1,22 +0,0 @@
# No need for --user 0:0, it is the default
## !assert-podman-args --user
## assert-podman-args --uidmap 0:0:1
## assert-podman-args --gidmap 0:0:1
## assert-podman-args --uidmap 1:100000:100000
## assert-podman-args --gidmap 1:100000:100000
# Map container uid root to host root
[Container]
Image=localhost/imagename
User=0
# Also test name parsing
HostUser=root
Group=0
HostGroup=0
RemapUsers=yes
# Set this to get well-known valuse for the checks
RemapUidRanges=100000-199999
RemapGidRanges=100000-199999

8
test/e2e/quadlet_test.go
View File

@@ -280,8 +280,6 @@ var _ = Describe("quadlet system generator", func() {
Entry("name.container", "name.container"),
Entry("network.container", "network.container"),
Entry("noimage.container", "noimage.container"),
Entry("noremapuser2.container", "noremapuser2.container"),
Entry("noremapuser.container", "noremapuser.container"),
Entry("notify.container", "notify.container"),
Entry("other-sections.container", "other-sections.container"),
Entry("podmanargs.container", "podmanargs.container"),
@@ -294,9 +292,9 @@ var _ = Describe("quadlet system generator", func() {
Entry("shortname.container", "shortname.container"),
Entry("timezone.container", "timezone.container"),
Entry("user.container", "user.container"),
Entry("user-host.container", "user-host.container"),
Entry("user-root1.container", "user-root1.container"),
Entry("user-root2.container", "user-root2.container"),
Entry("remap-manual.container", "remap-manual.container"),
Entry("remap-auto.container", "remap-auto.container"),
Entry("remap-auto2.container", "remap-auto2.container"),
Entry("volume.container", "volume.container"),
Entry("basic.volume", "basic.volume"),