libkrun icon indicating copy to clipboard operation
libkrun copied to clipboard
verified publisher icon containers

--user flag not respected under (rootless) podman

Open smithfred opened this issue 2 years ago • 2 comments

Regardless of the value of --user, pods started with (rootless) podman + krun have a UID/GID of 0 within the container.

krun:

> podman --runtime=krun run --user=1000:1000 --rm -it registry.fedoraproject.org/fedora sh -c 'id -u; id -g'
0
0

Another runtime (crun):

> podman --runtime=crun run --user=1000:1000 --rm -it registry.fedoraproject.org/fedora sh -c 'id -u; id -g'
1000
1000

smithfred avatar Feb 22 '23 17:02 smithfred

Yes, not all container semantics are supported in libkrun, but this one should be relatively easy to adopt. Could you please explain a bit the use case?

slp avatar Mar 02 '23 11:03 slp

In general terms, this article covers a lot of the reasons for container images to still use a different user account even in rootless mode.

For me specifically, I was using a 3rd-party containerised application that was configured to run as a non-root user witin the container. Edit: and more generally, 3rd-party containers that have been secured this way (with the expectation that they might be run under a rootful runtime), will break under libkrun otherwise.

smithfred avatar Mar 02 '23 14:03 smithfred