How to map host UID to container UID using Podman?

445 views Asked by At

I am trying to start and NGINX as unprivilaged user to just serve files from a directory. I need to map container UID (nginx) 101 to my current host UID 1000 so it can access mount data

What I try:

podman run --rm -i -p 9876:8080 \
--uidmap 101:@1000:1 \
--volume `pwd`:/usr/share/nginx/html:ro \
docker.io/nginxinc/nginx-unprivileged

however it fails

Error: initializing ID mappings: UID setting is malformed expected ["uint32:uint32:uint32"]: ["101:@1000:1"]

where Podman docs says it should work with @1000 but yet it throws an error. It is hightly possible that I don't understand what docs says, but at least it should not throw such errors.

Is it possible to easily map rootless host UID to contnainer UID?

Quote:

Referencing a host ID from the parent namespace

As a rootless user, the given host ID in --uidmap or --gidmap is mapped from the intermediate namespace generated by Podman. Sometimes it is desirable to refer directly at the host namespace. It is possible to manually do so, by running podman unshare cat /proc/self/gid_map, finding the desired host id at the second column of the output, and getting the corresponding intermediate id from the first column.

Podman can perform all that by preceding the host id in the mapping with the @ symbol. For instance, by specifying --gidmap 100000:@2000:1, podman will look up the intermediate id corresponding to host id 2000 and it will map the found intermediate id to the container id 100000. The given host id must have been subordinated (otherwise it would not be mapped into the intermediate space in the first place).

If the length is greater than one, for instance with --gidmap 100000:@2000:2, Podman will map host ids 2000 and 2001 to 100000 and 100001, respectively, regardless of how the intermediate mapping is defined.

Using podman 4.6.2
Client:       Podman Engine
Version:      4.6.2
API Version:  4.6.2
Go Version:   go1.18.1
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64
1

There are 1 answers

0
Erik Sjölund On BEST ANSWER

The git commit shows that the functionality was added to Podman 4.7.

The git commit message also mentions the new syntax to prepend a + to --uidmap

To simplify this, the second usability improvement is to be able to use:

--gidmap "+20000:@2000:1"

where the plus flag (+) states that the given mapping should > extend any previous/default mapping, overriding any previous conflicting assignment.

I did a quick test with rootless Podman. This command does not fail on Podman 4.9.0:

$ podman run \
   --rm \
   -i \
   -p 9876:8080 \
   --uidmap +101:@$(id -u):1 \
   --volume $(pwd):/usr/share/nginx/html:ro \
   docker.io/nginxinc/nginx-unprivileged

Note that

   --uidmap +101:@$(id -u):1

is equivalent to

   --uidmap +101:0:1

because the intermediate UID 0 is always mapped to the regular user on the host, the host UID $(id -u)

An alternative: Mapping the regular user on the host to a specific container user can also be done with

--userns=keep-id:uid=$uid,gid=$gid