containerd
Idmapped mounts
What is the problem you're trying to solve
Mapping a specific uid/gid pair inside the container to a specific user outside the container. For example, mapping the postgres uid/gid inside to a specific service account outside.
Describe the solution you'd like
Podman has two examples of commands which are more granular than --userns-remap which is global.
One is --userns=keepid:uid=...,gid=... which maps the host user to a specific user inside the container, but that is a bit too tightly coupled to its fork/exec architecture.
The other that would be a good fit for nerdctl is idmapped mounts, the --volume and --mounts option allow you to define arbitrary bindings at the level of individual mounts. This is its documentation:
· idmap: true or false (default). If specified, create an idmapped mount to the target user namespace in the container. The idmap option supports a custom mapping that can be different than the user namespace used by the container. The mapping can be specified after the idmap option like:
idmap=uids=0-1-10#10-11-10;gids=0-100-10. For each triplet, the first value is the start of the backing file system IDs that are mapped to the second value on the host. The length of this mapping is given in the third value. Multiple ranges are separated with #.
For the usecase of running a database container this is exactly what you want most of the time.
Additional context
No response
- Implementing --userns=keepid:uid=...,gid=... is fairly straight forward
- For the second one at --volume and --mounts will need to check out the implementation. Single range mount seems to be supported in containerd but not multi range mounts: https://github.com/containerd/containerd/blob/1ce8e1ca0e43ae5942c6b60906b653107c442ce9/core/mount/mount_linux.go#L34
So this would require a PR to that: https://github.com/containerd/containerd/blob/main/core/mount/mount_idmapped_utils_linux.go#L30 We would need to pass in the entire range of idmapping to SysProcAttr
Can pick this up.
