Map the host UID into the container

debarshiray · debarshiray · commit cfcf4eb31e14 · 2018-09-20T16:27:19.000+02:00
Assuming a host UID of 1000, the UID mapping inside the user namespace created by rootless podman for the toolbox container was: 0 1000 1 1 100000 65536 ... which was the same as seen from the host: 0 1000 1 1 100000 65536 Therefore, when running with an UID of 1000 inside the container, it got mapped to UID 100999 on the host. That means, for example, files created by the user inside the container end up looking funny from the host. This is addressed by creating another user namespace that's a child of the initial user namespace created by rootless podman. Assuming a host UID of 1000, the UID mapping inside this child namespace is: 1000 0 1 0 1 1000 1001 1001 64536 ... which when seen from the host is: 1000 1000 1 0 100000 1000 1001 101000 64536 This means that UID 1000 inside the child namespace is mapped to the same UID 1000 on the host via the intermediate namespace created by rootless podman. UIDs 0 to 999 inside the child namespace are mapped to UIDs 100000 to 100999 in the host. This change requires this runc pull request to work: opencontainers/runc#1862 As suggested by Giuseppe Scrivano.
diff --git a/fedora-toolbox b/fedora-toolbox
@@ -88,6 +88,9 @@ create()
         fi
     fi
 
+    max_uid_count=65536
+    max_minus_uid=$((max_uid_count-UID))
+    uid_plus_one=$((UID+1))
     if ! podman create \
                  --hostname toolbox \
                  --interactive \
@@ -96,6 +99,9 @@ create()
                  --privileged \
                  --security-opt label=disable \
                  --tty \
+                 --uidmap $UID:0:1 \
+                 --uidmap 0:1:$UID \
+                 --uidmap $uid_plus_one:$uid_plus_one:$max_minus_uid \
                  --volume $HOME:$HOME \
                  --volume $XDG_RUNTIME_DIR:$XDG_RUNTIME_DIR \
                  $toolbox_image \
