Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify preparation step 1 #5

Open
cmd-ntrf opened this issue Feb 7, 2023 · 3 comments
Open

Clarify preparation step 1 #5

cmd-ntrf opened this issue Feb 7, 2023 · 3 comments

Comments

@cmd-ntrf
Copy link
Contributor

cmd-ntrf commented Feb 7, 2023
edited
Loading

Hi Ryan,

First thank you for portwrap, it is exactly what we have been looking for to isolate users' jupyter proxy servers on our clusters for a loooong time.

I was able to install bubblewrap, slirp4netns and portwrap all in user space and make it works on our production clusters. Which brings me to a question: I haven't done anything related to uid / gid mapping, nor the administrator did. Am I missing something or is that step optional? The rootless containers documentation is a bit vague on when it is actually required.

Thanks again!

EDIT:
My tests were done with

  • Rocky 8.7 - kernel 4.18.0-425.10.1.el8_7.x86_64
  • bubblewrap 0.4.0
  • slirp4netns 1.2.0
@ryanlovett
Copy link
Owner

Thanks for testing, and I'm very happy to hear that it is working for you!

In my early experiments it was necessary in order for the user namespace to work, so I wonder if it is due to version differences between our kernels and bubblewrap. I have deployed on Ubuntu 20.04 with bubblewrap 0.4.0 (non-suid).

During my testing I also experimented with different features and configurations of bubblewrap so it might be the case that preparing the subuid/subgid files is no longer necessary. At face value, portwrap does not need to remap any UID or GID since, except for one aspect of networking, I just want the user to see the same environment inside the namespace. However I do recall that at one stage for some set of trials, I definitely needed it.

Let me do some more experimentation and I'll get back to you.

@manics
Copy link

manics commented Feb 8, 2023

subuid/subgid is automatically configured on some operating systems, e.g. Fedora. It looks like it's included in rocky linux too:

$ podman run -it --rm rockylinux:8

[root@7964bb379d86 /]# cat /etc/subuid

[root@7964bb379d86 /]# useradd -m test

[root@7964bb379d86 /]# cat /etc/subuid
test:100000:65536

@mahendrapaipuri
Copy link

@ryanlovett Thanks for this tool. As @cmd-ntrf said, it is very useful for HPC platforms.

Regarding subuid/subgid, they are only needed when we use user mapping. If we want to map current user on the host to root inside the bubblewrap container using --uid 0 CLI argument, we need to have user UID/GID mappings defined. As the actual version of the portwrap does not do any special user mapping, it should work out of the box even if user UID/GID mappings are not setup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cmd-ntrf @manics @ryanlovett @mahendrapaipuri