while True: print("Keep learning")

Podman

Podman

Rootless podman does not need the user to belong to any specific group.

User namespaces are the key. The man page says ...

User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys (keyrings), and capabilities. A process's user and group IDs can be different inside and outside a user namespace. In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.

Maximum allowed per-user namespaces can be seen with (on my Fedora-32) ...

$ sysctl -ar max_user_namespaces
user.max_user_namespaces = 47371

The actual number mappings for each user are recorded in /etc/subuid and /etc/subgid files. Again man pages of subuid says ...

Each line in /etc/subuid contains a user name and a range of subordinate user ids that user is allowed to use. This is specified with three fields delimited by colons (“:”). These fields are: · login name or UID · numerical subordinate user ID · numerical subordinate user ID count Multiple ranges may be specified per user.

On my Fedora-32 system, it shows ...

$ cat /etc/subuid /etc/subgid
parijath:100000:65536
parijath:100000:65536

It means the UIDs and GIDs in my (user's rootless) podman containers are going to be from 100000 to 165535.

podman version gives a short summary (including golang version). podman info gives a much detailed configuration overview.

Published

Category

Go

Tags