opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-01 17:17:47 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
podman/docs/source/markdown/options/userns.container.md
Giuseppe Scrivano 192ad70e98 run: ignore PODMAN_USERNS with --pod 
the combination --pod and --userns is already blocked.  Ignore the
PODMAN_USERNS variable when a pod is used, since it would cause to
create a new user namespace for the container.

Ideally a container should be able to do that, but its user namespace
must be a child of the pod user namespace, not a sibling.  Since
nested user namespaces are not allowed in the OCI runtime specs,
disallow this case, since the end result is just confusing for the
user.

Closes: https://github.com/containers/podman/issues/18580

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2023-05-17 16:49:16 +02:00

55 lines
3.4 KiB
Markdown
Raw Blame History

####> This option file is used in:
####> podman create, kube play, run
####> If file is edited, make sure the changes
####> are applicable to all of those.
#### **--userns**=*mode*
Set the user namespace mode for the container. It defaults to the **PODMAN_USERNS** environment variable unless `--pod` is specified. An empty value ("") means user namespaces are disabled unless an explicit mapping is set with the **--uidmap** and **--gidmap** options.
This option is incompatible with **--gidmap**, **--uidmap**, **--subuidname** and **--subgidname**.
Rootless user --userns=Key mappings:
Key | Host User | Container User
----------|---------------|---------------------
"" |$UID |0 (Default User account mapped to root user in container.)
keep-id |$UID |$UID (Map user account to same UID within container.)
keep-id:uid=200,gid=210 |$UID| 200:210 (Map user account to specified UID, GID value within container.)
auto |$UID | nil (Host User UID is not mapped into container.)
nomap |$UID | nil (Host User UID is not mapped into container.)
Valid _mode_ values are:
**auto**[:_OPTIONS,..._]: automatically create a unique user namespace.
The `--userns=auto` flag requires that the user name __containers__ be specified in the /etc/subuid and /etc/subgid files, with an unused range of subordinate user IDs that Podman containers are allowed to allocate. See subuid(5).
Example: `containers:2147483647:2147483648`.
Podman allocates unique ranges of UIDs and GIDs from the `containers` subordinate user IDs. The size of the ranges is based on the number of UIDs required in the image. The number of UIDs and GIDs can be overridden with the `size` option.
The option `--userns=keep-id` uses all the subuids and subgids of the user.
The option `--userns=nomap` uses all the subuids and subgids of the user except the user's own ID.
Using `--userns=auto` when starting new containers does not work as long as any containers exist that were started with `--userns=keep-id` or `--userns=nomap`.
Valid `auto` options:
- *gidmapping*=_CONTAINER\_GID:HOST\_GID:SIZE_: to force a GID mapping to be present in the user namespace.
- *size*=_SIZE_: to specify an explicit size for the automatic user namespace. e.g. `--userns=auto:size=8192`. If `size` is not specified, `auto` estimates a size for the user namespace.
- *uidmapping*=_CONTAINER\_UID:HOST\_UID:SIZE_: to force a UID mapping to be present in the user namespace.
**container:**_id_: join the user namespace of the specified container.
**host**: run in the user namespace of the caller. The processes running in the container have the same privileges on the host as any other process launched by the calling user (default).
**keep-id**: creates a user namespace where the current user's UID:GID are mapped to the same values in the container. For containers created by root, the current mapping is created into a new user namespace.
Valid `keep-id` options:
- *uid*=UID: override the UID inside the container that is used to map the current user to.
- *gid*=GID: override the GID inside the container that is used to map the current user to.
**nomap**: creates a user namespace where the current rootless user's UID:GID are not mapped into the container. This option is not allowed for containers created by the root user.
**ns:**_namespace_: run the <<container|pod>> in the given existing user namespace.
Reference in New Issue View Git Blame Copy Permalink