terenceli

Hi, I'm also very interested in this feature request. Any update information?

@avagin @ayushr2 So I see podman has a config --userns=keep-id. We may also need this config I think. We want the application in Sentry has the same view in host...

@ayushr2 Thanks for your explanation. I try to use the first method, as step as follows: install newuidmap, newgidmap runsc OCI spec: ``` { "ociVersion": "1.0.0", "process": { "user": {...

@ayushr2 I just do some tests. Just as I said in the previous, the gofer process calls ``` 'unix.RawSyscall(unix.SYS_SETUID, 0, 0, 0)' ``` But as we setup a 1000:1000 userns...

@ayushr2 your second pointer just remind of that whether the non-root process's child which in a new userns will have all full capability. After reading the doc and do some...

> I think this issue was fixed by [c6a1db5](https://github.com/google/gvisor/commit/c6a1db5baec7616983b14ac06e84bee45330a9d3). Can you please confirm? @ayushr2 This commit code is after the bug occurs, so it can't fix this issue.

> @apyrgio @terenceli could you try out #9798? @avagin in my case it doesn't work. I did some analysis, the issue is happen in here: https://github.com/google/gvisor/blob/master/runsc/cmd/gofer.go#L394C21-L394C21 Your fix code is...

> > Your fix code is after it. > > You are right. I created a fedora vm to reproduce the issue, but runsc failed differently there. > > >...

> Oh, that's great! Thanks a lot for the progress on this front. > > @terenceli, just to be sure, did this fix work within a rootless Podman container, as...

@apyrgio I have tried this patch using podman. With selinux set to Permissive, it works, and with selinux enabled, it doesn't work. @avagin Could you summit a PR to upstream?...