ignore_chown_errors implications

[ebryerwork]

I'm curious to know under what circumstances using --storage-opt=ignore_chown_errors=true will cause a problem. I should say up front that I'm ok with all the container processes running on the host system as the user who called podman. I'll be using a stock Alpine, Ubuntu, or UBI image that will run the program lmgrd in the container. So far, I've found that alpine, ubuntu and ubi work, but ubi-init (has systemd) crashes. Here is what I've found regarding ignore_chown_errors:
I read at https://docs.podman.io/en/latest/markdown/podman.1.html

This option tells Podman when pulling an image to ignore chown errors when attempting to change a file in a container image to match the non-root UID in the image. This means all files get saved as the user’s UID. Note this could cause issues when running the container.

And at https://github.com/containers/storage/blob/main/docs/containers-storage.conf.5.md

The user can pull and use any image even those with multiple uids. Note multiple UIDs will be squashed down to the default uid in the container.

And at https://www.redhat.com/sysadmin/controlling-access-rootless-podman-users

Note that this works fine as long as the only UID that you run inside of the container is the root of the container. If, for any reason, the process attempts to change UID to a UID not defined within the container, it will fail.

And I see when running the podman command

WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user 

The last quote, a warning message, mentions network users, but I don't understand why. What's different about a network user here? All this leaves it a little bit open as to what might cause a problem. It would be great is someone could explain in a bit more detail.

[rhatdan]

The problem is 1, users might assume that there are more then on user within the container, having a non root user for example.
When you run these type of containers, the container process can read/write all files in the image.

Running a container with --user=XYZ will blow up.

If you do a podman build it is likely to blow up, since the ignore_chown is only happening during the pull. If a process within the container attempts a chown it will blow up.

This flag was added specifically for HPC environments where they do not worry about these issues and tend to run containers with only a single UID.