-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support idmap for image volume mounts #23224
base: main
Are you sure you want to change the base?
Conversation
Fixes: containers#23211 Signed-off-by: Daniel J Walsh <[email protected]>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@giuseppe This fix still gets a permission denied when doing the mount with --userns=auto, any idea why? |
Cockpit tests failed for commit 1a2a619. @martinpitt, @jelly, @mvollmer please check. |
idmap is not an option understood by the kernel. We need to create the idmapped mount through |
That cockpit f40 failure was a temporary network outage. Please retry or ignore. |
I had a look and it gets tricky in c/storage, as we will need to deal with an image mounted multiple times with different mappings. To avoid duplicating functionalities we already have for handling containers, we could create a temporary storage container based on the desired image and specify there the mappings |
If I remember correctly I saw a use case for rw image mount which actually changes the image content so if the changes are now temporary we we would break that. |
rw image mounts are just an overlay mounted on the image, the underlying image is never changed. |
Ah right, I guess in this case a tmp storage copy container should be fine. I guess if do that we could also chown the image by default to the right userns then? Because idmap will not work rootless. |
yes, it automatically uses recursive chown if there is no native idmap or fuse-overlayfs to do the mapping at runtime. |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
A friendly reminder that this PR had no activity for 30 days. |
Fixes: #23211
Does this PR introduce a user-facing change?