- rework the slirp4netns section into a general 'Networking configuration' one
- integrate pasta as the new default tool for rootless networking since v5.0
- touch upon the user-facing differences between the two available backends and provide
links to further documentation, including how to choose between one and the other and
how to install them
Fixes: #24393
Signed-off-by: Bastien Traverse <neitsab@esrevart.net>
Followup to #20722:
- Fix missing "containers" subdirectory
- Indicate what podman uses as defaults for XDG envariables
- whitespace and quoting fixes (I actually ran pandoc this time)
Signed-off-by: Ed Santiago <santiago@redhat.com>
- We can assume that cgroups v2 and rootless overlayfs are the
default everywhere.
- Remove RHEL7-only instructions
- add clear '$' and '#' prompts to rootless and root commands
- other minor consistency cleanups
Ref: #20669
Signed-off-by: Ed Santiago <santiago@redhat.com>
Motivation
===========
This feature aims to make --uidmap and --gidmap easier to use, especially in rootless podman setups.
(I will focus here on the --gidmap option, although the same applies for --uidmap.)
In rootless podman, the user namespace mapping happens in two steps, through an intermediate mapping.
See https://docs.podman.io/en/latest/markdown/podman-run.1.html#uidmap-container-uid-from-uid-amount
for further detail, here is a summary:
First the user GID is mapped to 0 (root), and all subordinate GIDs (defined at /etc/subgid, and
usually >100000) are mapped starting at 1.
One way to customize the mapping is through the `--gidmap` option, that maps that intermediate mapping
to the final mapping that will be seen by the container.
As an example, let's say we have as main GID the group 1000, and we also belong to the additional GID 2000,
that we want to make accessible inside the container.
We first ask the sysadmin to subordinate the group to us, by adding "$user:2000:1" to /etc/subgid.
Then we need to use --gidmap to specify that we want to map GID 2000 into some GID inside the container.
And here is the first trouble:
Since the --gidmap option operates on the intermediate mapping, we first need to figure out where has
podman placed our GID 2000 in that intermediate mapping using:
podman unshare cat /proc/self/gid_map
Then, we may see that GID 2000 was mapped to intermediate GID 5. So our --gidmap option should include:
--gidmap 20000:5:1
This intermediate mapping may change in the future if further groups are subordinated to us (or we stop
having its subordination), so we are forced to verify the mapping with
`podman unshare cat /proc/self/gid_map` every time, and parse it if we want to script it.
**The first usability improvement** we agreed on #18333 is to be able to use:
--gidmap 20000:@2000:1
so podman does this lookup in the parent user namespace for us.
But this is only part of the problem. We must specify a **full** gidmap and not only what we want:
--gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1
This is becoming complicated. We had to break the gidmap at 5, because the intermediate 5 had to
be mapped to another value (20000), and then we had to keep mapping all other subordinate ids... up to
close to the maximum number of subordinate ids that we have (or some reasonable value). This is hard
to explain to someone who does not understand how the mappings work internally.
To simplify this, **the second usability improvement** is to be able to use:
--gidmap "+20000:@2000:1"
where the plus flag (`+`) states that the given mapping should extend any previous/default mapping,
overriding any previous conflicting assignment.
Podman will set that mapping and fill the rest of mapped gids with all other subordinated gids, leading
to the same (or an equivalent) full gidmap that we were specifying before.
One final usability improvement related to this is the following:
By default, when podman gets a --gidmap argument but not a --uidmap argument, it copies the mapping.
This is convenient in many scenarios, since usually subordinated uids and gids are assigned in chunks
simultaneously, and the subordinated IDs in /etc/subuid and /etc/subgid for a given user match.
For scenarios with additional subordinated GIDs, this map copying is annoying, since it forces the user
to provide a --uidmap, to prevent the copy from being made. This means, that when the user wants:
--gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1
The user has to include a uidmap as well:
--gidmap 0:0:5 --gidmap 5:6:15000 --gidmap 20000:5:1 --uidmap 0:0:65000
making everything even harder to understand without proper context.
For this reason, besides the "+" flag, we introduce the "u" and "g" flags. Those flags applied to a
mapping tell podman that the mapping should only apply to users or groups, and ignored otherwise.
Therefore we can use:
--gidmap "+g20000:@2000:1"
So the mapping only applies to groups and is ignored for uidmaps. If no "u" nor "g" flag is assigned
podman assumes the mapping applies to both users and groups as before, so we preserve backwards compatibility.
Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
Signed-off-by: Sergio Oller <sergioller@gmail.com>
Only use the word "please" in these situations:
- reader is asked to do something inconvenient
- reader is asked for permission
- reader is asked for forgiveness
Remove other uses of the word "please" to
make the language more efficient.
[NO NEW TESTS NEEDED]
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
mount_program is in storage.options.overlay and not storage.options
(see example in storage.conf)
Signed-off-by: Klaus Frank <agowa338@users.noreply.github.com>
* Remove the instruction
"The mount point must exist in the container"
as it is incorrect which is shown by this example
```
$ mkdir dir1
$ podman run --rm -v ./dir1:/dir1:Z docker.io/library/fedora:36 touch /dir1/file
$ ls dir1
file
$ podman run --rm docker.io/library/fedora:36 ls -l /dir1
ls: cannot access '/dir1': No such file or directory
$ podman --version
podman version 4.1.1
$
```
* Rewrite the advice "You should always give the full path to the volume you'd like to mount"
so that it also mentions relative paths starting with a dot.
Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
The links to the installation instructions and build instructions seem to
be outdated, so this PR updates them.
Signed-off-by: Deyao Chen <chendeyao000@gmail.com>
The `usermod` calls in rootless_tutorial.md were only adding a very narrow range
for subuids and subgids, which will cause failures with containers where a file
is owned by a user or group with a uid/gid > 1001.
Signed-off-by: Dan Čermák <dcermak@suse.com>
* Change references of 'master' to 'main' in URLs e.g. https://github.com/containers/podman/blob/main/install.md
* Wrap names of files or programs by '`' e.g. `dnf`, `containers.conf`, `/etc/subuid`, etc.
* Change sentence with ambiguous subject to 'Root privileges are required to add or update entries within these files'
* Link to kernel.org documentation for the `getpwent` command
* Change sentence: 'Note that the values for each user must be unique ~and without any overlap~'
* Make references to the Podman project upper-case instead of lower-case
* Reorder sentence 'Update the `/etc/subuid` and `/etc/subgid` with fields for each user' to emphasize 'For each user'
* Remove reference to asciiart demos and update README.md link
Signed-off-by: Colin Eberl Coe <ebb-earl-co@pm.me>
Systemd is now complaining or mentioning /var/run as a legacy directory.
It has been many years where /var/run is a symlink to /run on all
most distributions, make the change to the default.
Partial fix for https://github.com/containers/podman/issues/8369
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Inspired by @kannkyo PR.
Eliminate sudo when commands will work fine in rootless mode.
Make all commands in tutorials easily cut and pastable, by eliminating
$ and > symbols.
This should make them all consistant agross different tutorials.
Also make all systemctl enable calls use the --now option.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
I updated the configuration part of the tutorial on rootless podman. I added the
order in which configuration files are read in and a hint, how users can create
default configuration in the home directories.
Closes#6777
Signed-off-by: Niklas Netter <niknett@gmail.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
I just noticed a few 'podman' references that should be
'Podman' in the rootless doc. This fixes it.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
The example was not entirely correct. Users should use `podman generate
systemd` and use the output either directly or as a template for further
adjustments to their needs. Keeping an example in the rootless tutorial
is a maintenance burdon and can easily suggest incorrect usage patterns
to users.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
The `fuse-overlayfs` package provided by Ubuntu up to 19.10, is not
recent enough and causes errors on `buildah commit`, for instance.
Adjust the rootless tutorial to point this out and to provide more
detailed instructions on how to obtain `fuse-overlayfs` and configure it
for use by `libpod`.
Signed-off-by: Leonardo Rochael Almeida <leorochael@gmail.com>
Touch up a number of formating issues for XDG_RUNTIME_DIRS in a number
of man pages. Make use of the XDG_CONFIG_HOME environment variable
in a rootless environment if available, or set it if not.
Also added a number of links to the Rootless Podman config page and
added the location of the auth.json files to that doc.
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
