-
Notifications
You must be signed in to change notification settings - Fork 307
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
default gid map not allowed error when uid != gid #1072
Comments
I'll try to reproduce here. This code path is not very well tested because usually crun runs already in a user namespace. |
Understood. It's not something that really affects us a great deal. Calling from outside a userns, and without providing uid/gid mappings is just a bit of a stepping stone in something I've been working up... not something that we'll really be doing long term, but I thought I'd report the issue. The situation arises on a CircleCI instance with id mapping files as below:
Thanks! |
fix creating the default user namespace when the GID on the host is different than the UID and there is not not already a mapping specified in the OCI configuration. Closes: containers#1072 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
thanks for the extra information, opened a PR here: #1073 |
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
Ensure e2e tests for oci actions use user profile. Set uid/gid mappings explicitly. We need to do this anyone, going forward, but here it works around: containers/crun#1072 Signed-off-by: Edita Kizinevic <edita.kizinevic@cern.ch>
At the following line...
crun/src/libcrun/linux.c
Line 2808 in bebd67f
... the code creating a default gid mapping, when a mapping is not provided in the config.json, appears to be using
container_gid
tohost_uid
instead ofcontainer_gid
tohost_gid
.Edit - though I see this... a16fb8c so I'm probably not finding the whole picture here.
This often succeeds as in simple setups a user commonly has a primary group with a gid that is the same numerically as their uid. However when this is not the case:
...and the config.json requests this gid...
... then execution will fail, because the mapping is incorrect...
The text was updated successfully, but these errors were encountered: