* /etc/subuid and /etc/subgid support
@ 2024-07-28 15:55 paul
2024-08-12 14:19 ` Ludovic Courtès
0 siblings, 1 reply; 3+ messages in thread
From: paul @ 2024-07-28 15:55 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2554 bytes --]
Hello guixers,
I just sent a couple of patches [0] adding a full Scheme implementation
of the bits of Shadow that read and write /etc/subuid and /etc/subgid,
and some logic to handle generic requests from users that don't care
about specific ranges but just want to have some subids .
The result is a simple Guix System service that allows users to setup
these files on they're system. I hope this can be sound foundation for
the rootless-podman-service-type that I plan to implement .
I'm pasting here an excerpt of the documentation.
The (gnu system shadow) module exposes the subids-service-type, its
configuration record subids-configuration and its extension record
subids-extension.
With subids-service-type, subuids and subgids ranges can be reserved for
users that desire so:
(use-modules (gnu system shadow) ;for 'subids-service-type'
(gnu system accounts)) ;for 'subid-range'
(operating-system
(services
(list
(simple-service 'alice-bob-subids
subids-service-type
(subids-extension
(subgids
(list
(subid-range (name "alice"))))
(subuids
(list
(subid-range (name "alice"))
(subid-range (name "bob")
(start 100700)))))))))
Users (definitely other services), usually, are supposed to extend the
service instead of adding subids directly to subids-configuration,
unless they want to change the default behavior for root. With default
settings the subids-service-type adds, if it's not already there, a
configuration for the root account to both /etc/subuid and /etc/subgid,
possibly starting at the minimum possible subid. Otherwise the root
subuids and subgids ranges are fitted wherever possible.
The above configuration will yield the following:
# cat /etc/subgid
root:100000:65536
alice:165536:65536
# cat /etc/subuid
root:100000:700
bob:100700:65536
alice:166236:65536
This is a request for comments both here and in issue#72337 so please
let me know what you think.
Thank you for your help,
giacomo
[0]: https://issues.guix.gnu.org/72337
[-- Attachment #2: Type: text/html, Size: 3175 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: /etc/subuid and /etc/subgid support
2024-07-28 15:55 /etc/subuid and /etc/subgid support paul
@ 2024-08-12 14:19 ` Ludovic Courtès
2024-08-20 23:36 ` paul
0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2024-08-12 14:19 UTC (permalink / raw)
To: paul; +Cc: guix-devel
Hi Paul,
paul <goodoldpaul@autistici.org> skribis:
> I just sent a couple of patches [0] adding a full Scheme
> implementation of the bits of Shadow that read and write /etc/subuid
> and /etc/subgid, and some logic to handle generic requests from users
> that don't care about specific ranges but just want to have some
> subids .
I haven’t looked into the patch yet, but it sounds like a much needed
improvement to me.
Were you able to use ‘newuidmap’ etc. with this? I experimented with it
a while back (specifically adding support for it in
‘call-with-container’) and found myself giving up before I could get it
to work.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: /etc/subuid and /etc/subgid support
2024-08-12 14:19 ` Ludovic Courtès
@ 2024-08-20 23:36 ` paul
0 siblings, 0 replies; 3+ messages in thread
From: paul @ 2024-08-20 23:36 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 883 bytes --]
Hi Ludo’ ,
I'm not very familiar with newuidmap , but with this service and the
rootless Podman one from issue #72740 [0] I'm able to:
1. the following rootless Podman hello world
$ podman run -it --rm docker.io/alpine cat /etc/*release*
...
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.20.2
PRETTY_NAME="Alpine Linux v3.20"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
2. and with guix shell podman compose I'm able to run this Podman
compose hello world [1]:
$ mkdir data
$ echo hello world > data/index.html
$ podman compose up -d
...
exit code: 0
$ curl localhost:8080
hello world
Please refer to issue #72740 for more details.
I hope this helps in answering your question.
giacomo
[0]: https://issues.guix.gnu.org/72740
[1]:
https://github.com/fishinthecalculator/rootless-podman-nginx-static-server
[-- Attachment #2: Type: text/html, Size: 1585 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-08-20 23:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-28 15:55 /etc/subuid and /etc/subgid support paul
2024-08-12 14:19 ` Ludovic Courtès
2024-08-20 23:36 ` paul
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).