opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-19 16:33:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1795 from rhatdan/user

Browse Source 
Better document rootless containers
This commit is contained in:
OpenShift Merge Robot
2018-11-12 00:17:34 -08:00
committed by GitHub
parent 78e6d8e7d7 542d8fe95f
commit d5375b59aa
2 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/podman.1.md
View File

@ -192,7 +192,7 @@ the exit codes follow the `chroot` standard, see below:
When Podman runs in rootless mode, the file `$HOME/.config/containers/storage.conf` is also loaded. When Podman runs in rootless mode, the file `$HOME/.config/containers/storage.conf` is also loaded.
## Rootless mode ## Rootless mode
Podman can also be used as non-root user. When podman runs in rootless mode, an user namespace is automatically created. Podman can also be used as non-root user. When podman runs in rootless mode, a user namespace is automatically created for the user, defined in /etc/subuid and /etc/subgid.
Containers created by a non-root user are not visible to other users and are not seen or managed by podman running as root. Containers created by a non-root user are not visible to other users and are not seen or managed by podman running as root.
@ -209,13 +209,14 @@ Or just add the content manually.
$ echo USERNAME:10000:65536 >> /etc/subuid $ echo USERNAME:10000:65536 >> /etc/subuid
$ echo USERNAME:10000:65536 >> /etc/subgid $ echo USERNAME:10000:65536 >> /etc/subgid
See the `subuid(5)` and `subgid(5)` man pages for more information.
Images are pulled under `XDG_DATA_HOME` when specified, otherwise in the home directory of the user under `.local/share/containers/storage`. Images are pulled under `XDG_DATA_HOME` when specified, otherwise in the home directory of the user under `.local/share/containers/storage`.
Currently it is not possible to create a network device, so rootless containers need to run in the host network namespace. If a rootless container creates a network namespace, Currently the slirp4netns package is required to be installed to create a network device, otherwise rootless containers need to run in the network namespace of the host.
then only the loopback device will be available.
## SEE ALSO ## SEE ALSO
`containers-mounts.conf(5)`, `containers-registries.conf(5)`, `containers-storage.conf(5)`, `crio(8)`, `libpod.conf(5)`, `oci-hooks(5)`, `policy.json(5)` `containers-mounts.conf(5)`, `containers-registries.conf(5)`, `containers-storage.conf(5)`, `crio(8)`, `libpod.conf(5)`, `oci-hooks(5)`, `policy.json(5)`, `subuid(5)`, `subgid(5)`, `slirp4netns(1)`
## HISTORY ## HISTORY
Dec 2016, Originally compiled by Dan Walsh <dwalsh@redhat.com> Dec 2016, Originally compiled by Dan Walsh <dwalsh@redhat.com>

3
pkg/rootless/rootless_linux.go
View File

@ -187,6 +187,9 @@ func BecomeRootInUserNS() (bool, int, error) {
if username == "" { if username == "" {
user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid())) user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid()))
if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" { if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" {
if os.IsNotExist(err) {
return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files")
}
return false, 0, errors.Wrapf(err, "could not find user by UID nor USER env was set") return false, 0, errors.Wrapf(err, "could not find user by UID nor USER env was set")
} }
if err == nil { if err == nil {