84eff9ef3b
closes: #27411
Adjust SUB_UID and SUB_GID ranges to support running rootless Podman inside a rootless run Podman container.
Also add a test to verify the change and prevent regression.
By default, a new user is assigned the following sub-ID ranges:
SUB_UID_MIN=100000, SUB_GID_MIN=100000, SUB_UID_COUNT=65536, SUB_GID_COUNT=65536
This means the user’s sub-UID and sub-GID ranges are 100000–165535.
When the container is run rootless with the user defined below, ID mappings occur as follows:
- Container ID 0 (root) maps to user ID 1000 on the host (which is the user created below).
- Container IDs 1–65536 map to IDs 100000–165535 on host (the subid range previously mentioned).
If a new user is created inside this container (to build containers for example), it will
attempt to use the default sub-ID range (100000–165535). However, this exceeds the container’s
available ID mapping, since only IDs up to 65536 are mapped. This causes nested rootless Podman
to fail.
To enable container-in-container builds, the sub-ID ranges for the user must be large enough
to provide at least 65536 usable IDs. A minimum SUB_UID_COUNT and SUB_GID_COUNT of 165536 is
required, but 1,000,000 is used here to provide additional margin.
1,000,000 matches the subid range other machines are using, defined in [ignition.go](69b397af49/pkg/machine/ignition/ignition.go (L284-L289)).
The script of other machines modify the subid files directly for 1 user, the `sed` command used in
this fix mimics that.
The test is added as en extension to the 'simple init with username' test case, to prevent having
to create a new VM.
Signed-off-by: dvorst <87502756+dvorst@users.noreply.github.com>
Running the machine tests
This document is a quick how-to run machine tests. Not all dependencies, like
gvproxy are documented. You must install gvproxy in all cases described
below.
General notes
Environment must be clean
You must not have any machines defined before running tests. Consider running
podman machine reset prior to running tests.
Scoping tests
You can scope tests in the machine suite by adding various incantations of
FOCUS=. For example, add FOCUS_FILE=basic_test.go to only run basic test. Or
add FOCUS="simple init with start" to only run one test case. For windows, the
syntax differs slightly. In windows, executing something like following achieves
the same result:
./winmake localmachine "basic_test.go start_test.go"
To focus on one specific test on windows, run ginkgo manually:
$remotetags = "remote exclude_graphdriver_btrfs containers_image_openpgp"
$focus_file = "basic_test.go"
$focus_test = "podman build contexts"
./test/tools/build/ginkgo.exe `
-v --tags "$remotetags" -timeout=90m --trace --no-color `
--focus-file $focus_file `
--focus "$focus_test" `
./pkg/machine/e2e/.
Note that ginkgo.exe is built when running the command
winmake.ps1 localmachine so make sure to run it before trying the command
above.
Linux
QEMU
make localmachine
Microsoft Windows
Hyper-V
- Open a powershell as admin
.\winmake.ps1 podman-remote && .\winmake.ps1 win-gvproxy$env:CONTAINERS_HELPER_BINARY_DIR="$pwd\bin\windows"$env:CONTAINERS_MACHINE_PROVIDER="hyperv".\winmake localmachine
WSL
- Open a powershell as a regular user
.\winmake.ps1 podman-remote && .\winmake.ps1 win-gvproxy$env:CONTAINERS_HELPER_BINARY_DIR="$pwd\bin\windows"$env:CONTAINERS_MACHINE_PROVIDER="wsl".\winmake localmachine
MacOS
Macs now support two different machine providers: applehv and libkrun. The
libkrun provider is the default.
Note: On macOS, an error will occur if the path length of $TMPDIR is longer
than 22 characters. Please set the appropriate path to $TMPDIR. Also, if
$TMPDIR is empty, /private/tmp will be set.
Apple Hypervisor
brew install vfkitmake podman-remoteexport CONTAINERS_MACHINE_PROVIDER="applehv"make localmachine
Libkrun
brew install krunkitmake podman-remotemake localmachine