On Wed, Sep 13, 2023 at 05:07:27PM +0200, Ján Tomko wrote: > On a Tuesday in 2023, Daniel P. Berrangé wrote: > > On Tue, Sep 12, 2023 at 04:05:04PM +0200, Ján Tomko wrote: > > > On a Monday in 2023, Daniel P. Berrangé wrote: > > > > I would expect libvirt to "do the right thing" and automatically load > > > > the /etc/subuid data for the current user and NOT require any extra > > > > XML mapping to be set for unprivileged usage. > > > > > > > > > > So, by default libvirt would assume that unprivileged > > > accessmode='passthrough' means "use the whole range for my user > > > from /etc/subuid"? > > > > > > Podman treats /etc/subuid as a pool and chooses a 64K range that is > > > (to its knowledge) unused. I'm undecided whether that would also be > > > a reasonable option for a default. > > > > I thought podman simply used the entry that is in /etc/subuid > > as is: > > D'oh. Right. By default it uses --userns=host, which behaves as you > describe. > > What I described is --userns=auto behavior, suggested in the bug > discussion: > https://bugzilla.redhat.com/show_bug.cgi?id=2034630#c8 What I'm also missing is understanding what component enforces that you have grabbed a range that is actually present for your user in /etc/subuid, as opposed to grabbing a range belonging to a different user. Something must enforce that otherwise it is a total free for all and /etc/subuid is largely pointless. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
