Description
containerd v1.7 supports ID mapped mounts via --remap-lables option
$ ctr run -h
...
--remap-labels Provide the user namespace ID remapping to the snapshotter via label options; requires snapshotter support
...
The fuse-overlayfs-snapshotter does support the remapped labels.
However when running against fuse-overlayfs-snapshotter with --remap-labels, the permission is configured incorrectly.
Steps to reproduce the issue
- Configure fuse-overlayfs remote snapshotter
$ cat /etc/containerd/config.toml
version = 2
[proxy_plugins]
[proxy_plugins.fuse]
type = "snapshot"
address = "/run/containerd-fuse-overlayfs-grpc/fuse-overlayfs.sock"
capabilities = ["remap-ids"]
- Pull image
$ sudo ctr i pull --snapshotter fuse docker.io/library/ubuntu:latest
- Run container
$ sudo ctr run --rm --tty --snapshotter fuse --remap-labels --uidmap 0:100:65535 --gidmap 0:100:65535 --user ubuntu docker.io/library/ubuntu:latest test bash
Describe the results you received and expected
Received result, note the owner of the directory are incorrect.
bash: /home/ubuntu/.bashrc: Permission denied
ubuntu@ip-172-31-63-131:/$ ls -l /home
total 4
drwxr-x--- 2 1100 1100 4096 Sep 27 00:08 ubuntu
Expected result:
ubuntu@ip-172-31-63-131:/$ ls -l /home
total 4
drwxr-x--- 2 ubuntu ubuntu 4096 Aug 27 14:06 ubuntu
What version of containerd are you using?
v1.7.22
Any other relevant information
No response
Show configuration if it is related to CRI plugin.
No response
Description
containerd v1.7 supports ID mapped mounts via
--remap-lablesoptionThe fuse-overlayfs-snapshotter does support the remapped labels.
However when running against
fuse-overlayfs-snapshotterwith--remap-labels, the permission is configured incorrectly.Steps to reproduce the issue
Describe the results you received and expected
Received result, note the owner of the directory are incorrect.
Expected result:
What version of containerd are you using?
v1.7.22
Any other relevant information
No response
Show configuration if it is related to CRI plugin.
No response