Matt Heon
Matt Heon
@vrothberg PTAL, I know you've been doing some work in this area. @freva Any chance you can try with a more-recent Podman (3.4.x ideally)? We've definitely made some improvements already...
IMO, based on that, errors like this are better handled in CRI-O. So long as c/storage makes a consistent error return in cases like this, we can catch and discard...
On the Podman side, we have already announced that cgv1 is deprecated as of our 5.0 upstream release, and we are actively warning users on v1 distros that support will...
To elaborate on the kernel/FS work: Right now, for a single user namespace, images are chown'd as they are pulled to make them match the UID ranges that are mapped...
I tend to disagree on tying into `--security-opt` given that we already have a flag for user namespaces. To escape a user namespace, you pass `--userns=host`, so it would seem...
I think that's OK now. We don't release to RHEL8 anymore. 9 can switch to CGv1 but it's not the default. 5 officially deprecated CGv1 support.
There is also the potential of a race against something else adding rules, though that something can't be Netavark because of locking.
Yep, hoping to get to this over the next few weeks
@Honny1 might have time to work on this?
Fixed by #25297