Warn about missing uid mappings about crun HOT 12 CLOSED

The behavior from runc:
$ runc run config.json
ERRO[0000] User namespaces enabled, but no uid mappings found.
User namespaces enabled, but no uid mappings found.

the runc error message is different than crun. runc is complaining about no mapping being present in the config.json file. Instead crun behaves differently and it automatically tries to configure a user namespace for rootless containers (just today I've documented it: https://github.com/containers/crun/blob/master/crun.1.md#automatically-create-user-namespace).

Just to confirm it, is there any uidMapping specified in the config.json you've provided to runc?

from crun.

I am using the stock config.json provided from "crun spec --rootless" extended with the "user" namespace to avoid the warning from "automatically-create-user-namespace". There is no uidMapping in config.json.

from crun.

thanks, so I confirm that error message in runc refers to the lack of uidMappings in the config.json file.

from crun.

I will submit a PR for crun to report "rootless requires the user defined in /etc/subuid and /etc/subgid" when they are missing.

from crun.

Well crun will run fine without those entries.

from crun.

Please note that crun did not run fine on my system. Without those files, I got:
2019-11-08T13:14:26.000942292Z: mount 'devpts' to '/home/jpinto/tmp/rootfs/dev/pts': Invalid argument

from crun.

I'm also getting this
$ crun spec --rootless
$ crun --root /tmp/crun run mycontainerid
mount 'devpts' to '/home/somedude/mycontainer/rootfs/dev/pts': Invalid argument

Even after reading the documentation and the comments here it's still a bit hard to understand what this means and how it can be addressed. Can the documentation be slightly extended, or the error message more informative as suggested above?

crun --version
crun version 0.11.42-937e
commit: 937e642f846af78d8be0054d6a1c4626a42f1040
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL

Kernel: 5.4.6-arch3-1 (Arch Linux)

$ zcat /proc/config.gz | grep CONFIG_USER_NS=
CONFIG_USER_NS=y
$ cat /proc/sys/kernel/unprivileged_userns_clone
1
I guess these are needed, as they are for runc?

from crun.

the safest is probably to drop gid=5 when creating the configuration for a rootless user, so it works also when there are no multiple IDs available.

Would you like to open a PR to address it?

from crun.

Sure, one moment.

from crun.

the safest is probably to drop gid=5 when creating the configuration for a rootless user, so it works also when there are no multiple IDs available.

I just came across this issue because I try to run a program in a rootless container that checks for devpts to be mounted with gid=5. 🙃

Shouldn't this only be dropped in case if there really are not multiple IDs available so it still resembles a regular system as close as possible?

from crun.

Shouldn't this only be dropped in case if there really are not multiple IDs available so it still resembles a regular system as close as possible?

are you referring to the config.json file generated by crun spec? That file should be intended only as a template you can use to customize, it is definitely the crun caller (which in most cases is a container engine like Podman or Docker) to create the correct configuration. If you have multiple IDs available, you can skip the --rootless flag :) I think the default config file works well for rootless users, just make sure to add a user namespace. If no mappings are specified, crun will assign the additional IDs specified for your user.

from crun.

Ah ok, then it is podman where I have to look at. Thanks for the explanations.

from crun.