storage: Document force_mask UID 0 mapping requirement#742
Open
ipilcher wants to merge 2 commits intocontainers:mainfrom
Open
storage: Document force_mask UID 0 mapping requirement#742ipilcher wants to merge 2 commits intocontainers:mainfrom
ipilcher wants to merge 2 commits intocontainers:mainfrom
Conversation
Signed-off-by: Ian Pilcher <arequipeno@gmail.com>
Member
|
And more importantly, thanks for the PR @ipilcher ! |
Author
|
I seem to have bollixed everything up by hitting GitHub's "Commit suggestion" button. EDIT: I think I managed to fix it. |
Signed-off-by: Ian Pilcher <arequipeno@gmail.com> Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
ipilcher
force-pushed
the
force_mask_uidmap_doc
branch
from
011492b to
526cbe9
Compare
mtrmac
reviewed
Apr 9, 2026
| "force_mask" permissions. | ||
|
|
||
| - When force_mask is used in rootless mode with explicit UID mappings (e.g., `--uidmap`), the container's UID 0 must map to the host user's UID. fuse-overlayfs (see "mount_program" below) creates a FUSE mount that that is only accessible to the user who created it (the user running podman in this case). If UID 0 within the container is mapped to a different host UID (such as a subordinate UID from /etc/subuid), the OCI runtime (which runs in the user namespace) will not be able to access the FUSE mount. | ||
| - When force_mask is used in rootless mode with explicit UID mappings (e.g., `--uidmap`), the container's UID 0 must map to the host user's UID. The fuse-overlayfs (see "mount_program" below) storage driver creates a FUSE mount accessible only to the user who created it (the user running podman in this case). If UID 0 within the container is mapped to a different host UID (such as a subordinate UID from /etc/subuid), the OCI runtime (which runs in the user namespace) will not be able to access the FUSE mount. |
Contributor
There was a problem hiding this comment.
fuse-overlayfs is a filesystem implementation, not a “storage driver” in the c/storage sense (overlay/vfs/btrfs). Maybe “filesystem”? “process”? Or revert to the previous version, which can be ambiguous about what exactly the thing is?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
force_maskdoesn't work in rootless mode when the container's UID 0 is mapped to something other than the host UID of the user running the container. This PR adds a note about this requirement tocontainers-storage.conf.5.md.