Strategies for using unprivileged podman as a build tool

moosingin3space · 2019-03-14T05:34:58.572Z

Hi! I’m excited for Silverblue, really like container-based workflows, and have been slowly transitioning my projects to use podman. One problem that I’m encountering is with a Yocto-based project – namely, the bitbake utility doesn’t like being run as root (inside the container). In order to please bitbake, I changed the in-container uid to 1001, but this created a weird situation where I was unable to write to any files created from inside the container on my host. (Right now, I’m running neovim on my host OS, and this is problematic because many of bitbake's companion tools require you to edit files it generates.) All the problematic files had permissions 0644 and were owned by uid 100999, which makes sense given the contents of /etc/subuid.

Is there a way I can work around this and assign container uid 1001 to my host uid? In the ideal case, I don’t need to modify /etc/subuid and can simply hand off my repository including a Makefile that calls out to podman to anyone with podman and user namespaces. Thanks!

refi64 · 2019-03-14T05:48:53.099Z

Welcome to the wonderful world of containers, we hope you enjoy your stay.

What if you make the in-container UID the same as your normal user, e.g. 1000? I’ve often done this with no trouble. Also, it may or may not be relevant, but what SELinux-related flags are you passing in?

As a side note, depending on what exactly you’re trying to accomplish, fedora-toolbox may be helpful.

moosingin3space · 2019-03-14T06:07:47.719Z

After your suggestion, my testing podman command-line is:

$ podman run --rm -it -v ${ROOT}/yocto:/app/yocto:Z \
    -v ${ROOT}/${BUILD_DIR}:/app/build:Z \
    -u $(id -u):$(id -g) \
    -w /app \
    /bin/bash

Inside the container, I attempted to touch a file in /app/build, and that failed with Permission denied. It turns out this doesn’t pass a permission check, since all the files in the volumes are owned by root inside the container.

To clarify, I’m not running this on Silverblue, just traditional Workstation, but I’m trying to prepare all my personal projects for an exciting Silverblue future.

refi64 · 2019-03-15T03:36:49.547Z

What if you either delete the volumes or sudo chown -R $USER directory them? They might still have some screwy permissions from before.

otaylor · 2019-03-15T15:41:28.849Z

moosingin3space:

Inside the container, I attempted to touch a file in /app/build , and that failed with Permission denied . It turns out this doesn’t pass a permission check, since all the files in the volumes are owned by root inside the container.

The default behavior for rootless podman is root inside the container is mapped to your user, and other UIDs in the container are mapped into high UID’s in your subuid range (see /etc/subuid). So you need to either:

work as the ‘root’ user inside the container (which is a bit weird for interactive usage)
change the mapping so that your UID is mapped to itself and the root UID is mapped to a high UID - see https://github.com/debarshiray/toolbox/blob/master/toolbox#L636 for how toolbox does it

If you note everything else that toolbox is doing to create a seamless interactive environment, you might want to consider just using toolbox toolbox has some initial support for multiple containers, which would allow for a project-specific toolbox, if you want to go that way, though the basic mode of toolbox is just to have a single “fedora 30” toolbox. We’d love to find out about anything you find missing or difficult with toolbox!

moosingin3space · 2019-03-16T02:11:09.167Z

Thank you so much, this works!

Yes, I understand toolbox is the right way to go here . That said, my goal here is to create a Makefile that is reasonably portable for non-Fedora users too. I’m hoping to be able to use something similar at work, where we all use Ubuntu.