-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oci-unpack to handle UID/GID mappings #33
Comments
On Mon, Oct 03, 2016 at 03:05:50PM -0700, George Lestaris wrote:
I don't think you need the first two, and --fallback-uid can always be
Then you can achieve your desired semantics by unpacking in a user |
I agree that we can avoid something like oci-download --ref 3.2.5 oci://registry.opencontainers.org/redis ./redis-image
oci-unpack --ref 3.2.5 --uid-mapping 1000:0:1000 ./redis-image ./redis-bundle
cd ./redis-bundle
oci-runtime-tool generate --uidmappings 1000:0:1000 --args redis-server
runc create my-redis If we have to create the user namespace before unpacking the rootfs we would either have to use |
On Tue, Oct 04, 2016 at 01:30:55AM -0700, George Lestaris wrote:
I don't mind calling unshare or runC for this. And the OCI spec is a ccon -s '
That's more typing than a two command line options, but you could wrap |
To be honest, all I really want for The discussion in #3 about whether it can ever be "correct" to output such a rootfs is missing the point IMO. What matters is that I can set the correct owners inside the diff layers (whether or not I had to cheat to do it is a separate issue -- and outside the concern of the extraction API). |
As discussed lately in #3,
oci-unpack
could also be handling UID/GID translation to prepare the unpacked image (rootfs) for a container that uses a user namespace with UID/GID mappings. There are, so far, the following use cases:I would propose extiending the
oci-unpack
interface by adding:*
--uid-mapping <Namespace UID>:<Host UID>:<Size>
(similar to the/proc/$PID/uid_map
structure). It can be provided multiple times.--gid-mapping
which handles the GID mappings similarly.--fallback-uid <Namespace UID>
When provided, if a tar entry UID is not mapped the unpacked file will be owned by<Namespace UID>
. If the flag is not provided and a unmapped UID is encountered,oci-unpack
should fail.Grootfs is implementing the
--uid-mapping
and--gid-mapping
flags but I would prefer this translation logic to live inoci-unpack
.The text was updated successfully, but these errors were encountered: