Feature Request: Support user namespaced containers #483
Comments
|
Thanks for pointing this out @nyonson. I was not aware of these user namespaced containers. The current way that Polar handles user permissions is not ideal, but it was the only way I could get it working across all 3 platforms at the time. I'll have to investigate more on Podman/Docker namespaces to see if it's possible to improve or simplify the implementation. Appreciate it 👍 |
|
The part of the current implementation which doesn't play nice with rootless containers is how the user are created dynamically in the docker-entrypoint.sh script. That requires the containers to start out running as root in order to create the new users. Could we instead base the user creation into the Dockerfile and use the |
My bad @nyonson, I haven't had a chance to look into this. I don't know if this would be possible atm. |
|
I'm interested in trying to get this to work. Any tips to get started? |
Is your feature request related to a problem? Please describe.
Podman (and maybe Docker?) now supports user namespaced containers. There are security benefits to running containers this way instead of depending on a root-ful daemon. User namespaced containers change how user/group ids are mapped between the host and container systems. This means that the
USERIDandGROUPIDvariables passed around in Polar's docker filers no longer work as expected in user namespaced containers and the containers fail to start.Describe the solution you'd like
I am not sure the best way to support user namespaced containers while not breaking current patterns, but ideally some setting could disable the USERID/GROUPID variables and let the standard mapping take over.
Additional context
For now I think I can get around this by building my own containers which just drop the current entrypoint logic to map USERID/GROUPID.
The text was updated successfully, but these errors were encountered: