11

I'm evaluating podman in rootless mode and faceing an issue with the User ID Mapping.

I run podman with "myuser" who has the ID 1000.

cat /etc/subuid
myuser:100000:65536

When running a pod, where the pod user is root, the created files on the mounted volume belongs to "myuser" from host perspective, I can access them and so everything is fine.

When running a pod, where the pod user is not root, for example UID 2002, the created files on the mounted volume belongs to UID "102002" from host perspective which results in the situation, that I can not access that files on the host.

As expected, podman unshare looks like following

podman unshare cat /proc/self/uid_map
0       1000          1
1     100000      65536

Is there any chance, that I can get access to this files by correct configuration of the podman run or config files?

Thanks Joerg

Jörg Lang
  • 171
  • 1
  • 1
  • 8
  • Creating a file running as UID _2002_ in the container would normally create a file with ownership UID _102001_ on the host, if the _/etc/subuid_ contains _myuser:100000:65536_. Are you maybe using _--userns_ somehow? – Erik Sjölund Jan 20 '22 at 06:25
  • I had a [related issue](https://github.com/containers/podman/blob/main/troubleshooting.md#9-newuidmap-missing-when-running-rootless-podman-commands) on Ubuntu 20.05, fixed installing `uidmap` package – Pablo Bianchi Jun 17 '23 at 23:07

2 Answers2

17

Update 4 November 2022

Podman 4.3.0 introduced the options uid and gid that can be given to --userns keep-id.

The UID and GID mapping that is described with --uidmap and --gidmap in this answer can now be given as --userns keep-id:uid=$uid,gid=$gid instead. The only difference is that the new syntax is shorter and thus saves you some keyboard typing.

See also the troubleshooting tip:

Podman run fails with "Error: unrecognized namespace mode keep-id:uid=1000,gid=1000 passed"

Yes, you can remap UIDs by using the command-line option --uidmap.

It looks like the container UID you are using is

102002-100000+1=2003

The digit 1 is there because the normal UID on the host is mapped to root in the container by default.

This example demonstrates such a calculation (1002002-100000+1=2003)

$ id  -un
testuser
$ grep testuser /etc/subuid
testuser:100000:65536
$ grep testuser /etc/subgid
testuser:100000:65536
$ mkdir dir1
$ chmod 777 dir1
$ podman run --rm -v ./dir1:/dir1:Z \
             --user 2003:2003 \
             docker.io/library/ubuntu touch /dir1/a
$ ls -l dir1/a
-rw-r--r--. 1 102002 102002 0 Jan 19 19:35 dir1/a
$

Let's define some variables so that this Stackoverflow answer can be more reusable for others.

uid=2003
subuidStart=100000
subuidSize=65536

You could try passing these three options at the same time to podman run

  • --uidmap $uid:0:1
  • --uidmap 0:1:$uid
  • --uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid))

Note $(( expression )) is Bash syntax so you need to use a bash shell.

--uidmap $uid:0:1

Map the UID $uid in the container to your normal UID on the host.

host UID intermediate UID container UID
normal host UID 0 $uid

--uidmap 0:1:$uid

Map the UIDs between 0 and $uid - 1 in the container to the lower part of the subuids (subordinate UIDs) (from $subuidStart to $subuidStart+$uid-1).

host UID intermediate UID container UID
$subuidStart 1 0
$subuidStart + 1 2 1
... ... ...
$subuidStart + $uid - 1 $uid $uid - 1

--uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid))

Map the UIDs between $uid+1 and $subuidSize in the container to the remaining subuids.

host UID intermediate UID container UID
$subuidStart + $uid $uid + 1 $uid + 1
$subuidStart + $uid + 1 $uid + 2 $uid + 2
... ... ...
$subuidStart + $subuidSize - 1 $subuidSize $subuidSize

Note that the mapping between host UIDs and the intermediate UIDs can't be modified by the user. The normal host UID is always mapped to the intermediate UID 0.

Note that in the general case there might be more than one range of subuids.

There is a similar command-line option --gidmap for GIDs.

Update 2022-02-14

I wrote a troubleshooting tip about this in the Podman documentation.

Erik Sjölund
  • 10,690
  • 7
  • 46
  • 74
  • I have created a script with that --uidmap logic. I received fort the error "Error: Container ID 0 cannot be mapped to a host ID" so I have added "--uidmap=0:1:1" as an additional parameter. Now I receive ```Error: error creating container storage: error creating an ID-mapped copy of layer "1cfdca7e59023298ba1f7787a961bd90e2bcac6680d9591268d2d1c83c0c8ef7": exit status 1: error during chown: error mapping container ID pair idtools.IDPair{UID:0, GID:42} for "etc/gshadow" to host: Container ID 42 cannot be mapped to a host ID ``` – Jörg Lang Jan 21 '22 at 09:59
  • Do you know if it is possible to do the same for `podman build`? I tried replacing `--uidmap` with `--userns-uid-map`, but it didn't seem to do anything. – Cezary Drożak Mar 15 '22 at 14:13
  • 1
    I've never tried `podman build` with `--userns-uid-map` but I would guess that it does the same thing as `--uidmap` for `podman run`. – Erik Sjölund Mar 15 '22 at 14:19
2

Using --userns=keep-id is an easy alternative solution compared to using the complex mapping of uidmap/gidmap.

https://docs.podman.io/en/latest/markdown/podman-run.1.html

Muzammil
  • 417
  • 1
  • 4
  • 20