Announcement

**binarybanana** · 03 June 2022, 06:44 AM

Originally posted by polarathene View Post

I don't quite follow, presently if you use a volume bind mount, there is no mapping done with UID:GID between host and guest(container). There is the ability to run the container and change the UID:GID via a run-time option, but it's not file specific, preventing the user from having the expected permissions in the container to operate correctly. There is config support for the Docker Daemon to do namespace mapping IIRC, it's been a while since I read about that but I think it was container wide, it supported providing a range of IDs to map.

What you're suggesting is presumably how IDMAPPED would work?

Yes, but hardcoded. When you start a container and run hop on the host you'll see that the processes ie the container are run by some user with uid like 100000+. You can then change the owner of some file to that user and in the container it will appear as belonging to what uid 100000 on the host ("nobody") to what uid 100000 maps to in the container (generally uid 0, so root) inside the container. This works with any fs without explicit idmapping support.

Of course, this is somewhat limited and crude, but I do this for a few programs that are picky about who owns files like OpenSMTPd is for ssl private keys.

Announcement

OverlayFS Adding Support For IDMAPPED Layers For Various Benefits

Comment