Add use rootless page #93
Conversation
Co-authored-by: eitsupi <[email protected]>
|
Thanks for doing this @zeehio, we appreciate the contribution. I'll leave this open while we resolve the discussion over at rocker-org/rocker-versioned2#636. Thanks for the link to containers/podman#18333, I don't follow the details there but seems to have momentum so we can see what comes out of that as well. @agila5 @hute37 or others using rootless docker -- your thoughts are welcome on these docs as well! |
|
Just a note ... Now I'm busy configuring a working rootless podman setup with full CUDA support. I'm interested in CRAN Some references here: |
|
In the original issue: There is some comment useful for documentation about process/filesystem uid/gid mapping |
|
@hute37 Thanks for comments! It seems that the issues you linked to still exist, but I have merged rocker-org/rocker-versioned2#636 and would like to merge this PR and see what happens. |
|
Just to give you an update on this issue. It may be that podman reviewers do not like my implementation, or that it does not get enough attention to make it to the end. But I'll do my best. This is my ideal roadmap, with checks where "it's done":
The simpler instructions will be: |
|
I read the page, It looks good. About group data sharing I'm not and expert here, but maybe Podman Volumes could provide a more natural support. In labs, where I can freely manage user accounts, I tried a different approach, setting data group as "primary" group and swapping default group (same name as userid) as an alternate user group. About documentation, For default podman group membership mapping:
Dan Walsh's Blog: For CUDA support: |
This PR has a balance of 117 additions and 209 deletions. Six months ago I wrote an article about using rocker in rootless containers. - #93 Some settings were complicated due to limitations in the `--gidmap` syntax exposed by Podman. As discussed there, I ended up contributing syntax enhancements to Podman. This PR simplifies the explanations of the rootless page in the website, using the lessons learned while working on Podman. It also focuses on the `how it works` instead of the `why it works`, now that the syntax improvements make options more natural. It preserves instructions for earlier podman versions, although upgrading is encouraged. --------- Co-authored-by: eitsupi <[email protected]>
Tagging @cboettig since he suggested me to write something here
I have a solution for running the container rootless:
There are many advantages on rootless containers, the main one being security.
The main caveat with rootless containers is when we want to map additional groups to the container (for instance when we have an additional group that owns a "shared_data" directory we want to access). In that case, we still need to learn quite a bit about id mapping. I've done my best to explain how things work and to provide a step by step guide in this pull request.
Hopefully this will eventually be simplified. It may be that I have overlooked something
I guess we can wait some days to see how the issue evolves. It may be that I've missed something and my solution is overly complicated or that some feature needs to land in podman to simplify additional group management.
English is not my primary language. I would appreciate feedback or change in wordings.
Besides I've been writing this for too long. I may need to take some time to get some perspective and re-read it again, but I believe it is worth a first read.