feat: add support for userns #3941
Conversation
Signed-off-by: Shubharanshu Mahapatra <[email protected]>
| Setup: func(data test.Data, helpers test.Helpers) { | ||
| data.Set("validUserns", "nerdctltestuser") | ||
| data.Set("expectedHostUID", "123456789") | ||
| // need to be compiled with containerd version >2.0.2 to support multi uidmap and gidmap. |
There was a problem hiding this comment.
change comment to 2.1.x
| return nil | ||
| } | ||
|
|
||
| func addUser(username string, hostId string) error { |
There was a problem hiding this comment.
This is scary to run by default. Needs to have an opt-in flag like -test.allow-modify-user
Similar:
nerdctl/pkg/testutil/testutil.go
Line 557 in c12aaa3
| } | ||
|
|
||
| newContent := strings.ReplaceAll(string(content), entry, "") | ||
| if err := os.WriteFile(file, []byte(newContent), 0644); err != nil { |
There was a problem hiding this comment.
This is scary too. Needs to be opt-in.
Also, the content of /etc/subuid and /etc/subgid has to be backed up and has to be restored with defer()
| } | ||
|
|
||
| func delUser(username string) error { | ||
| cmd := exec.Command("sudo", "userdel", username) |
There was a problem hiding this comment.
sudo shouldn't be needed when the test is running as the root
| github.com/containerd/cgroups/v3 v3.0.5 | ||
| github.com/containerd/console v1.0.4 | ||
| github.com/containerd/containerd/api v1.8.0 | ||
| github.com/containerd/containerd/v2 v2.0.2 | ||
| github.com/containerd/containerd/v2 v2.0.1-0.20250211161307-525332b29211 |
There was a problem hiding this comment.
Would it be possible to cherry-pick the relevant commit to v2.0?
| @@ -264,6 +264,9 @@ type ContainerCreateOptions struct { | |||
|
|
|||
| // ImagePullOpt specifies image pull options which holds the ImageVerifyOptions for verifying the image. | |||
| ImagePullOpt ImagePullOptions | |||
|
|
|||
| // Userns name for user namespace mapping of container | |||
| Userns string | |||
There was a problem hiding this comment.
| Userns string | |
| UserNS string |
Because Userns looks like Users
| @@ -185,6 +185,27 @@ func Create(ctx context.Context, client *containerd.Client, args []string, netMa | |||
| opts = append(opts, rootfsOpts...) | |||
| cOpts = append(cOpts, rootfsCOpts...) | |||
|
|
|||
| if options.Userns != "" { | |||
| if runtime.GOOS != "linux" || rootlessutil.IsRootless() { | |||
| return nil, generateRemoveStateDirFunc(ctx, id, internalLabels), errors.New("userns is only supported on linux") | |||
There was a problem hiding this comment.
The error is confusing when running in rootless mode on linux
| @@ -279,6 +279,7 @@ func setCreateFlags(cmd *cobra.Command) { | |||
| cmd.Flags().String("ipfs-address", "", "multiaddr of IPFS API (default uses $IPFS_PATH env variable if defined or local directory ~/.ipfs)") | |||
|
|
|||
| cmd.Flags().String("isolation", "default", "Specify isolation technology for container. On Linux the only valid value is default. Windows options are host, process and hyperv with process isolation as the default") | |||
| cmd.Flags().String("userns", "", "Support idmapping of containers. This options is only supported on linux. If `host` is passed, no idmapping is done. if a user name is passed, it does idmapping based on the uidmap and gidmap ranges specified in /etc/subuid and /etc/subgid respectively") | |||
There was a problem hiding this comment.
Please add docs/command-reference.md.
Also, the command line seems incompatible with Docker?
Docker doesn't accept a username here, and the name is hardcoded to "dockremap".
Maybe we should have its equivalent as "nerdremap"?
There was a problem hiding this comment.
Podman accepts --subuidname string --subgidname string to specify a custom user name
Adds support for running containers with custom user namespace mappings through
the --userns flag in 'run' and 'create' commands.
Key Features:
Technical Details:
Dependencies:
Testing:
This enhancement improves container isolation by providing
flexible user namespace mapping capabilities.
Size: XL