cfcf4eb31e
Assuming a host UID of 1000, the UID mapping inside the user namespace
created by rootless podman for the toolbox container was:
0 1000 1
1 100000 65536
... which was the same as seen from the host:
0 1000 1
1 100000 65536
Therefore, when running with an UID of 1000 inside the container, it
got mapped to UID 100999 on the host. That means, for example, files
created by the user inside the container end up looking funny from the
host.
This is addressed by creating another user namespace that's a child of
the initial user namespace created by rootless podman. Assuming a host
UID of 1000, the UID mapping inside this child namespace is:
1000 0 1
0 1 1000
1001 1001 64536
... which when seen from the host is:
1000 1000 1
0 100000 1000
1001 101000 64536
This means that UID 1000 inside the child namespace is mapped to the
same UID 1000 on the host via the intermediate namespace created by
rootless podman. UIDs 0 to 999 inside the child namespace are mapped
to UIDs 100000 to 100999 in the host.
This change requires this runc pull request to work:
https://github.com/opencontainers/runc/pull/1862
As suggested by Giuseppe Scrivano.
196 lines
6 KiB
Bash
Executable file
196 lines
6 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
# Copyright © 2018 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
|
|
source /etc/os-release
|
|
|
|
toolbox_container="fedora-toolbox-$USER:$VERSION_ID"
|
|
toolbox_prompt="🔹[\u@\h \W]\\$ "
|
|
|
|
base_toolbox_image="fedora-toolbox:$VERSION_ID"
|
|
toolbox_image="fedora-toolbox-$USER:$VERSION_ID"
|
|
|
|
|
|
create()
|
|
(
|
|
working_container_name="fedora-toolbox-working-container-$(uuidgen --time)"
|
|
|
|
if ! buildah images --noheading | grep --quiet $toolbox_image; then
|
|
if ! buildah from --name $working_container_name $base_toolbox_image >/dev/null 2>&42; then
|
|
echo "$0: failed to create working container"
|
|
exit 1
|
|
fi
|
|
|
|
if ! buildah containers --noheading | grep --quiet $working_container_name; then
|
|
echo "$0: failed to create working container"
|
|
exit 1
|
|
fi
|
|
|
|
if ! buildah run $working_container_name -- useradd \
|
|
--no-create-home \
|
|
--uid $UID \
|
|
--groups wheel \
|
|
$USER \
|
|
>/dev/null 2>&42; then
|
|
buildah rmi $working_container_name >/dev/null 2>&42
|
|
echo "$0: failed to create user $USER with UID $UID"
|
|
exit 1
|
|
fi
|
|
|
|
if ! buildah run $working_container_name -- passwd -d $USER >/dev/null 2>&42; then
|
|
buildah rmi $working_container_name >/dev/null 2>&42
|
|
echo "$0: failed to remove password for user $USER"
|
|
exit 1
|
|
fi
|
|
|
|
if ! buildah config --volume $HOME $working_container_name >/dev/null 2>&42; then
|
|
buildah rmi $working_container_name >/dev/null 2>&42
|
|
echo "$0: failed to configure volume for $HOME"
|
|
exit 1
|
|
fi
|
|
|
|
if ! buildah config --volume $XDG_RUNTIME_DIR $working_container_name >/dev/null 2>&42; then
|
|
buildah rmi $working_container_name >/dev/null 2>&42
|
|
echo "$0: failed to configure volume for /run/user/$UID"
|
|
exit 1
|
|
fi
|
|
|
|
if ! buildah config --user $USER $working_container_name >/dev/null 2>&42; then
|
|
buildah rmi $working_container_name >/dev/null 2>&42
|
|
echo "$0: failed to configure the default user as $USER"
|
|
exit 1
|
|
fi
|
|
|
|
if ! buildah config --workingdir $HOME $working_container_name >/dev/null 2>&42; then
|
|
buildah rmi $working_container_name >/dev/null 2>&42
|
|
echo "$0: failed to configure the initial working directory to $HOME"
|
|
exit 1
|
|
fi
|
|
|
|
if ! buildah commit --rm $working_container_name $toolbox_image >/dev/null 2>&42; then
|
|
buildah rmi $working_container_name >/dev/null 2>&42
|
|
echo "$0: failed to create image $toolbox_image"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
max_uid_count=65536
|
|
max_minus_uid=$((max_uid_count-UID))
|
|
uid_plus_one=$((UID+1))
|
|
if ! podman create \
|
|
--hostname toolbox \
|
|
--interactive \
|
|
--name $toolbox_container \
|
|
--network host \
|
|
--privileged \
|
|
--security-opt label=disable \
|
|
--tty \
|
|
--uidmap $UID:0:1 \
|
|
--uidmap 0:1:$UID \
|
|
--uidmap $uid_plus_one:$uid_plus_one:$max_minus_uid \
|
|
--volume $HOME:$HOME \
|
|
--volume $XDG_RUNTIME_DIR:$XDG_RUNTIME_DIR \
|
|
$toolbox_image \
|
|
/bin/sh >/dev/null 2>&42; then
|
|
echo "$0: failed to create container $toolbox_container"
|
|
exit 1
|
|
fi
|
|
)
|
|
|
|
|
|
enter()
|
|
{
|
|
if ! podman start $toolbox_container >/dev/null 2>&42; then
|
|
echo "$0: failed to start container $toolbox_container"
|
|
exit 1
|
|
fi
|
|
|
|
podman exec \
|
|
--env COLORTERM=$COLORTERM \
|
|
--env DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS \
|
|
--env DESKTOP_SESSION=$DESKTOP_SESSION \
|
|
--env DISPLAY=$DISPLAY \
|
|
--env LANG=$LANG \
|
|
--env PS1="$toolbox_prompt" \
|
|
--env SHELL=$SHELL \
|
|
--env SSH_AUTH_SOCK=$SSH_AUTH_SOCK \
|
|
--env TERM=$TERM \
|
|
--env VTE_VERSION=$VTE_VERSION \
|
|
--env XDG_CURRENT_DESKTOP=$XDG_CURRENT_DESKTOP \
|
|
--env XDG_DATA_DIRS=$XDG_DATA_DIRS \
|
|
--env XDG_MENU_PREFIX=$XDG_MENU_PREFIX \
|
|
--env XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR \
|
|
--env XDG_SEAT=$XDG_SEAT \
|
|
--env XDG_SESSION_DESKTOP=$XDG_SESSION_DESKTOP \
|
|
--env XDG_SESSION_ID=$XDG_SESSION_ID \
|
|
--env XDG_SESSION_TYPE=$XDG_SESSION_TYPE \
|
|
--env XDG_VTNR=$XDG_VTNR \
|
|
--interactive \
|
|
--tty \
|
|
$toolbox_container \
|
|
$SHELL -l 2>&42
|
|
}
|
|
|
|
|
|
usage()
|
|
{
|
|
echo "Usage: $0 [-v | --verbose] create"
|
|
echo " or: $0 [-v | --verbose] enter"
|
|
echo " or: $0 --help"
|
|
}
|
|
|
|
|
|
exec 42>/dev/null
|
|
|
|
while [[ "$1" == -* ]]; do
|
|
case $1 in
|
|
-h | --help )
|
|
usage
|
|
exit
|
|
;;
|
|
-v | --verbose )
|
|
exec 42>&2
|
|
;;
|
|
* )
|
|
echo "$0: unrecognized option '$1'"
|
|
echo "Try '$0 --help' for more information."
|
|
exit 1
|
|
esac
|
|
shift
|
|
done
|
|
|
|
if [ "$1" == "" ]; then
|
|
echo "$0: missing command"
|
|
echo "Try '$0 --help' for more information."
|
|
exit 1
|
|
fi
|
|
|
|
op=$1
|
|
case $op in
|
|
create )
|
|
create
|
|
exit
|
|
;;
|
|
enter )
|
|
enter
|
|
exit
|
|
;;
|
|
* )
|
|
echo "$0: unrecognized command '$1'"
|
|
echo "Try '$0 --help' for more information."
|
|
exit 1
|
|
esac
|