feat: add support for userns #3941
Conversation
| Setup: func(data test.Data, helpers test.Helpers) { | ||
| data.Set("validUserns", "nerdctltestuser") | ||
| data.Set("expectedHostUID", "123456789") | ||
| // need to be compiled with containerd version >2.0.2 to support multi uidmap and gidmap. |
There was a problem hiding this comment.
change comment to 2.1.x
| return nil | ||
| } | ||
|
|
||
| func addUser(username string, hostId string) error { |
There was a problem hiding this comment.
This is scary to run by default. Needs to have an opt-in flag like -test.allow-modify-user
Similar:
nerdctl/pkg/testutil/testutil.go
Line 557 in c12aaa3
| } | ||
|
|
||
| newContent := strings.ReplaceAll(string(content), entry, "") | ||
| if err := os.WriteFile(file, []byte(newContent), 0644); err != nil { |
There was a problem hiding this comment.
This is scary too. Needs to be opt-in.
Also, the content of /etc/subuid and /etc/subgid has to be backed up and has to be restored with defer()
| } | ||
|
|
||
| func delUser(username string) error { | ||
| cmd := exec.Command("sudo", "userdel", username) |
There was a problem hiding this comment.
sudo shouldn't be needed when the test is running as the root
| github.com/containerd/cgroups/v3 v3.0.5 | ||
| github.com/containerd/console v1.0.4 | ||
| github.com/containerd/containerd/api v1.8.0 | ||
| github.com/containerd/containerd/v2 v2.0.2 | ||
| github.com/containerd/containerd/v2 v2.0.1-0.20250211161307-525332b29211 |
There was a problem hiding this comment.
Would it be possible to cherry-pick the relevant commit to v2.0?
There was a problem hiding this comment.
may not be the commit entirely but only the relevant functions as it is client side.
pkg/api/types/container_types.go
Outdated
| @@ -264,6 +264,9 @@ type ContainerCreateOptions struct { | |||
|
|
|||
| // ImagePullOpt specifies image pull options which holds the ImageVerifyOptions for verifying the image. | |||
| ImagePullOpt ImagePullOptions | |||
|
|
|||
| // Userns name for user namespace mapping of container | |||
| Userns string | |||
There was a problem hiding this comment.
| Userns string | |
| UserNS string |
Because Userns looks like Users
pkg/cmd/container/create.go
Outdated
| @@ -185,6 +185,27 @@ func Create(ctx context.Context, client *containerd.Client, args []string, netMa | |||
| opts = append(opts, rootfsOpts...) | |||
| cOpts = append(cOpts, rootfsCOpts...) | |||
|
|
|||
| if options.Userns != "" { | |||
| if runtime.GOOS != "linux" || rootlessutil.IsRootless() { | |||
| return nil, generateRemoveStateDirFunc(ctx, id, internalLabels), errors.New("userns is only supported on linux") | |||
There was a problem hiding this comment.
The error is confusing when running in rootless mode on linux
| @@ -279,6 +279,7 @@ func setCreateFlags(cmd *cobra.Command) { | |||
| cmd.Flags().String("ipfs-address", "", "multiaddr of IPFS API (default uses $IPFS_PATH env variable if defined or local directory ~/.ipfs)") | |||
|
|
|||
| cmd.Flags().String("isolation", "default", "Specify isolation technology for container. On Linux the only valid value is default. Windows options are host, process and hyperv with process isolation as the default") | |||
| cmd.Flags().String("userns", "", "Support idmapping of containers. This options is only supported on linux. If `host` is passed, no idmapping is done. if a user name is passed, it does idmapping based on the uidmap and gidmap ranges specified in /etc/subuid and /etc/subgid respectively") | |||
There was a problem hiding this comment.
Please add docs/command-reference.md.
Also, the command line seems incompatible with Docker?
Docker doesn't accept a username here, and the name is hardcoded to "dockremap".
Maybe we should have its equivalent as "nerdremap"?
There was a problem hiding this comment.
Podman accepts --subuidname string --subgidname string to specify a custom user name
There was a problem hiding this comment.
Also, the command line seems incompatible with Docker?
if they add host it will behave as docker as we check for that string and create the default snapshot.
For other names it behaves as docker daemon but at a container level rather than at daemon level. Will you suggest we configure it in nerdctl config instead?
There was a problem hiding this comment.
For other names it behaves as docker daemon but at a container level rather than at daemon level. Will you suggest we configure it in nerdctl config instead?
Eventually, the both level should be supported, as in Podman: https://github.com/containers/podman/blob/v5.4.1/docs/source/markdown/options/userns.container.md?plain=1
podman run --userns=autoallocates subuids from the "containers" entry in/etc/subuid.- When
userns=...is specified incontainers.conf, Podman enables UserNS globally, unless--userns=hostis specified.
nerdctl should probably follow the same convention, but s/containers.conf/nerdctl.toml/
Not all the features need to be implemented at once. Can just begin with the easiest one.
Signed-off-by: Shubharanshu Mahapatra <[email protected]>
Shubhranshu153
force-pushed
the
feat-nerdctl-userns
branch
from
e094328 to
068faa5
Compare
| @@ -555,6 +556,7 @@ var ( | |||
| func M(m *testing.M) { | |||
| flag.StringVar(&flagTestTarget, "test.target", Nerdctl, "target to test") | |||
| flag.BoolVar(&flagTestKillDaemon, "test.allow-kill-daemon", false, "enable tests that kill the daemon") | |||
| flag.BoolVar(&flagTestUserNS, "test.allow-modify-user", false, "enable tests on userns") | |||
There was a problem hiding this comment.
| flag.BoolVar(&flagTestUserNS, "test.allow-modify-user", false, "enable tests on userns") | |
| flag.BoolVar(&flagTestModifyUsser, "test.allow-modify-user", false, "enable tests that creates/deletes user accounts on the host") |
The intent is to clarify that the tests modifies the host system (and potentially breaks it, in the worst case)
| @@ -360,3 +363,33 @@ var Private = &test.Requirement{ | |||
| } | |||
| }, | |||
| } | |||
|
|
|||
| var ContainerdV1 = &test.Requirement{ | |||
There was a problem hiding this comment.
Better to use the introspection API to check the existence of the relevant plugin (which one?)
nerdctl/pkg/cmd/container/run_restart.go
Line 36 in 39058fb
| github.com/compose-spec/compose-go/v2 v2.4.9 | ||
| github.com/containerd/accelerated-container-image v1.3.0 | ||
| github.com/containerd/cgroups/v3 v3.0.5 | ||
| github.com/containerd/console v1.0.4 | ||
| github.com/containerd/containerd/api v1.8.0 | ||
| github.com/containerd/containerd/v2 v2.0.4 | ||
| github.com/containerd/containerd/v2 v2.0.1-0.20250211161307-525332b29211 |
There was a problem hiding this comment.
| github.com/containerd/containerd/v2 v2.0.1-0.20250211161307-525332b29211 | |
| github.com/containerd/containerd/v2 v2.1.0-beta.0 |
Adds support for running containers with custom user namespace mappings through
the --userns flag in 'run' and 'create' commands.
Key Features:
Technical Details:
Dependencies:
Testing:
This enhancement improves container isolation by providing
flexible user namespace mapping capabilities.
Size: XL