Could container UID outside of mapped range be detected during validation of input arguments? #21330
eriksjolund
started this conversation in
General
Could container UID outside of mapped range be detected during validation of input arguments?
#21330
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
The discussion about using a big UID in
reminded me of the troubleshooting tip
10) rootless setup user: invalid argument
The troubleshooting tip does not currently mention
--userns=keep-id:uid=$id,gid=$idI could try writing a PR to fix that.
Another thing: Could podman or crun classify such input as invalid when validating the input?
Are there any valid situations of using
--user=$id:$idwhere$idis not in the mapped ranges?Here is an example of how it currently works:
Example 1
The specified container UID 65536 is in the mapped ranges.
Example 2
The specified container UID 65537 is not in the mapped ranges. The podman command fails.
Add
--userns=keep-id:uid=$id,gid=$idNow the podman command succeeds.
Instead of
Error: OCI runtime error: crun: setgroups: Invalid argumentsomething like this would be more useful
Error: the specified container user UID is not mapped in the user namespace. Consider using --userns=keep-id:uid=65537,gid=65537Some time in the future I could try to add this feature. (I don't want to promise anything)
In any case, it would be interesting to hear if you think this would be a useful feature?
update 1
When I started writing some text to add to the troubleshooting tip, I noticed 3 different error messages from crun
(with
-ti)(with
-ti)(without
-ti)but only one error message from runc
(with or without
-ti)Beta Was this translation helpful? Give feedback.
All reactions