repo2docker icon indicating copy to clipboard operation
repo2docker copied to clipboard
verified publisher icon jupyterhub

How to handle --editable for rootless Podman

Open rgaiacs opened this issue 1 month ago • 3 comments

When working in support for Podman, I noticed that tests

  • tests/unit/test_editable.py::test_editable
  • tests/unit/test_editable.py::test_editable_by_host

would fail.

The tests fails due

/usr/local/bin/change.sh: line 3: newfile: Permission denied

This is because Podman runs, by default, as rootless. When Podman and Docker run as rootless, we have

flowchart TB
    subgraph container[rootless container]
    container-root[root UID=0]
    jovyan[jovyan UID=1000]
    end

    subgraph host
    host-root[root UID=0]
    alice[alice UID=1000]
    bob[bob UID=1001]
    repo2docker[repo2docker UID=101000]
    end

    alice-->container-root
    repo2docker-->jovyan

A file that is owned by alice will not be accessible to jovyan.

The recommendation in this cases is to run Jupyter in the container as root but this should be done by the user.

How do others think that repo2docker should behave?

rgaiacs avatar Nov 03 '25 15:11 rgaiacs

I think it's reasonable to say editable can't be used with a rootless container unless it's run as rootless "root", since you've chosen to partially break the isolation that full rootless offers.

manics avatar Nov 03 '25 16:11 manics

When reading more the code, I found https://github.com/jupyterhub/repo2docker/blob/4992a432e35bf0943f20fdb0dc1e00b21779f412/repo2docker/main.py#L426-L435 saying that

Root as the primary user in the image is not permitted.

rgaiacs avatar Nov 04 '25 08:11 rgaiacs

I think we should keep this issue open, and consider allowing a container to run as root.

manics avatar Nov 04 '25 14:11 manics