| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABzL1gYnYrLQsEMOUY27XvcR3ZLnnOmrPv=_fHPNwJ3v+Mrg6w@mail.gmail.com>
Date: Wed, 9 Apr 2025 00:47:49 +0530
From: Pravin Shedage <pravinshedage2008@...il.com>
To: linux-ext4@...r.kernel.org
Cc: brauner@...nel.org
Subject: Help with Real-world Usage of ID-Mapped Mounts with Docker on Ubuntu 24.04
Hi Christian,
Hi ext4 mailing list,
I'm currently exploring the ID-mapped mount feature in a real-world
scenario and looking for guidance on setting it up in combination with
Docker containers on an Ubuntu 24.04 host (kernel 6.8).
My goal is to use ID-mapped mounts with an ext4 filesystem to achieve:
- Seamless user access (no need to chown directories to match container UIDs)
- Security (containers see files as "owned", but the host retains real
ownership)
- Multi-user safety (same directory can be exposed to different
containers with different user views)
- Mount once, map many (flexibly remount the same data for different
users securely)
I have referred to the LWN article “User ID mappings and mounted
filesystems” (https://lwn.net/Articles/896255/) to better understand
the feature and its intended use cases.
### Setup
On the host:
$ ls -l /mnt/ext4/users/
drwxr-xr-x 3 test1-user test1-user 4096 Apr 8 12:14 test1-user
drwxr-xr-x 2 test2-user test2-user 4096 Apr 8 10:57 test2-user
Created two ID-mapped bind mounts:
$ sudo mount --bind -o X-mount.idmap=b:0:1001:1
/mnt/ext4/users/test1-user /mnt/ext4_1
$ sudo mount --bind -o X-mount.idmap=b:0:1002:1
/mnt/ext4/users/test2-user /mnt/ext4_2
$ mount | grep /mnt/ext4
/dev/vdf on /mnt/ext4 type ext4 (rw,relatime)
/dev/vdf on /mnt/ext4_1 type ext4 (rw,relatime,idmapped)
/dev/vdf on /mnt/ext4_2 type ext4 (rw,relatime,idmapped)
Docker subuid/subgid are configured:
$ cat /etc/subuid
pravin-user:100000:65536
test1-user:165536:65536
test2-user:231072:65536
Scenario 1: ID-mapped mount used in container (FAILS)
docker run -it --rm --userns=host --user 0:0 \
--mount type=bind,source=/mnt/ext4_1,target=/mnt/ext4_1 \
test-container bash
Inside the container:
# ls -l
drwxr-xr-x 2 nobody nogroup 4096 Apr 8 12:14 dir1
-rw-r--r-- 1 nobody nogroup 0 Apr 8 12:14 file1
# touch file2
touch: cannot touch 'file2': Value too large for defined data type
Scenario 2: Using unshare with ID-mapped mount (FAILS)
$ sudo mount --bind -o X-mount.idmap=b:0:1001:1
/mnt/ext4/users/test1-user /mnt/ext4_1
$ sudo unshare -Urnm bash
# docker run -it --rm --mount
type=bind,source=/mnt/ext4_1,target=/mnt/ext4_1 test-container bash
Same "Value too large for defined data type" error occurs when trying
to write to the directory.
Scenario 3: Map directly to container UID (WORKS, but defeats purpose)
$ sudo mount --bind -o X-mount.idmap=b:1001:1001:1
/mnt/ext4/users/test1-user /mnt/ext4_1
$ docker run -it --rm --userns=host --user 1001:1001 \
--mount type=bind,source=/mnt/ext4_1,target=/mnt/ext4_1 \
test-container bash
This works (I can create files), but it doesn't use the 0-based
remapping that ID-mapped mounts are designed to provide—so the
flexibility and isolation benefits are lost.
Question
Is there a recommended way to make ID-mapped mounts usable inside
Docker containers in this scenario?
- Am I missing a userns configuration in Docker that would allow the
container root (UID 0) to correctly map to the host UID used
in the bind mount?
- Should the bind mount target be made inside a container-specific
user namespace before starting the container?
- Or is this a current limitation of Docker's handling of user
namespaces + idmapped mounts?
I'd really appreciate any pointers on making this work in a secure,
multi-user, real-world container setup.
Thanks a lot for your time and for all the work on this feature—it has
great potential for secure container setups!
Thanks & Regards
PraviN
Powered by blists - more mailing lists