Alin Dobre <alin.dobre@xxxxxxxxxxxxxxxx> writes: > Hello, > > Continuing the struggle to run containers over the 9p filesystem I am > now running into another issue. > > A simple container with user namespace mapping UID -2 (4294967294) to > root can run a container image found in /tmp/src without any problems. > When I export that /tmp/src path via 9p and mount it in /tmp/dst, > running the same container over /tmp/dst fails to allow chown (and > probably chmod) system calls to be successful. This happens because 9p > considers that the UID which runs the system calls is actually -2, but > it's actually 0, because the lchown system call is run inside the > namespace, not outside it. So, 9p should consider that the UID which > does the system call is root. No the UID is actually -2. (-2 is a little dangerous to use because sometimes -2 is used for the nobody user and similar special purposes). There is some minor relaxation of the rules in the vfs to allow changing to a uid you have mapped in your user namespace. Which is why chown works at all. > Do I understand this correctly as a problem, or does it work as > intended? If latter, do you have any insights on how to achieve running > containers in this scenario? If the permission check is made on the kernel with user namespaces we can reasonablly make it work. Otherwise we can not. That is a danger of using remote filesystems they can sometimes have weird arbitrary rules you were not expected. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
