Support multiple uid/gid mappings [1/2] #10307
Conversation
henry118
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
henry118
changed the title
henry118
force-pushed
the
uidmap
branch
2 times, most recently
from
2e0a5a2 to
ac777c9
Compare
henry118
force-pushed
the
uidmap
branch
3 times, most recently
from
26107e7 to
4e7f0ea
Compare
|
/test pull-containerd-node-e2e |
|
I'm adding to 2.0 milestone; @containerd/maintainers let me know if anyone thinks it should not be in 2.0 |
henry118
force-pushed
the
uidmap
branch
2 times, most recently
from
0af7ad4 to
56972bc
Compare
|
/test pull-containerd-node-e2e |
|
@henry118 Do you plan to add the second part in this PR? Or will it be a separate PR? |
|
Needs tests |
He was going to do it as a separate PR; he is out right now so it will be after he returns |
Yes I am aware of the fallback. The fallback is currently implemented in containerd/client/snapshotter_opts_unix.go Line 113 in 7b948fa
We can discuss about how we want to support CRI in my next PR that wires up the CRI logic. Basically if we don't want to change the CRI logic, we can simply keep using the old API in CRI. But I don't think the discussion is relevant to this PR though. |
|
@henry118 okay, you were saying the opposite before (CRI userns required idmap mounts) :) If you plan to do a follow-up PR with the idmap mounts part and prefer to wire CRI there, it seems fine to me. I think the final release should be close and changing that later seems safer, IMHO, besides other PRs that are inflight that would conflict with this. But I'm not a maintainer here :) |
My 2nd PR is pretty much ready. I didn't open it because GH does not support stacked PRs. And I wanted to use the 1st PR to align on all the APIs. I wish that I can still catch the 2.0 release window to get this feature in. But I agree it's up to the maintainers. Again let's defer this discussion to the follow-up patch. I believe I should have addressed all your comments at this stage. PTAL and let me know what else I can do to move this further. |
|
@henry118 cool, thanks! Just to understand, would you like this PR for 2.0? Or also the follow-up PR? I think maintainers need to review now, that is the next step :) |
|
Ping @estesp @AkihiroSuda @dmcgowan @fuweid PTAL. Really hope this enhancement can be part of 2.0. |
Signed-off-by: Henry Wang <[email protected]>
@cpuguy83 thanks for the input. I moved the userns package under internals. |
Enhance user namespace implementation to support multi-entry uid/gid mappings.
This is 1st patch (out of 2) that supports multiple entries of uid/gid configurations. This patch focuses on the "slow" path that requires
chownon every file in the root FS. uidmapped mounts implementation will be covered in a separate PR.This implementation has changes in the following area:
IdentityMappingimplementation fromidtoolspackage in Moby.--uidmap, --gidmapoptions inctr runcommand.chownAn sample command to run a container with remapped
foouser:I hope the implementation makes sense and I'm looking forward to your feedback :)