polar
polar copied to clipboard
jamaljsr
Feature Request: Support user namespaced containers
Is your feature request related to a problem? Please describe.
Podman (and maybe Docker?) now supports user namespaced containers. There are security benefits to running containers this way instead of depending on a root-ful daemon. User namespaced containers change how user/group ids are mapped between the host and container systems. This means that the USERID and GROUPID variables passed around in Polar's docker filers no longer work as expected in user namespaced containers and the containers fail to start.
Describe the solution you'd like I am not sure the best way to support user namespaced containers while not breaking current patterns, but ideally some setting could disable the USERID/GROUPID variables and let the standard mapping take over.
Additional context For now I think I can get around this by building my own containers which just drop the current entrypoint logic to map USERID/GROUPID.
Thanks for pointing this out @nyonson. I was not aware of these user namespaced containers. The current way that Polar handles user permissions is not ideal, but it was the only way I could get it working across all 3 platforms at the time. I'll have to investigate more on Podman/Docker namespaces to see if it's possible to improve or simplify the implementation. Appreciate it 👍
The part of the current implementation which doesn't play nice with rootless containers is how the user are created dynamically in the docker-entrypoint.sh script. That requires the containers to start out running as root in order to create the new users. Could we instead base the user creation into the Dockerfile and use the User field in the docker-compose definition?
Could we instead base the user creation into the Dockerfile and use the
Userfield in the docker-compose definition?
My bad @nyonson, I haven't had a chance to look into this. I don't know if this would be possible atm.
