lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251230201629.GB4062669@ax162>
Date: Tue, 30 Dec 2025 13:16:29 -0700
From: Nathan Chancellor <nathan@...nel.org>
To: Guillaume Tucker <gtucker@...cker.io>
Cc: Miguel Ojeda <ojeda@...nel.org>, David Gow <davidgow@...gle.com>,
	Onur Özkan <work@...rozkan.dev>,
	Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org,
	rust-for-linux@...r.kernel.org, linux-kbuild@...r.kernel.org,
	automated-testing@...ts.yoctoproject.org, workflows@...r.kernel.org,
	llvm@...ts.linux.dev
Subject: Re: [PATCH v2 2/2] Documentation: dev-tools: add container.rst page

Hi Guillaume,

On Sun, Dec 21, 2025 at 09:13:33PM +0100, Guillaume Tucker wrote:
> On 18/12/2025 1:49 pm, Guillaume Tucker wrote:
> > +User IDs
> > +========
> > +
> > +This is an area where the behaviour will vary slightly depending on the
> > +container runtime.  The goal is to run commands as the user invoking the tool.
> > +With Podman, a namespace is created to map the current user id to a different
> > +one in the container (1000 by default).  With Docker, while this is also
> > +possible with recent versions it requires a special feature to be enabled in
> > +the daemon so it's not used here for simplicity.  Instead, the container is run
> > +with the current user id directly.  In both cases, this will provide the same
> > +file permissions for the kernel source tree mounted as a volume.  The only
> > +difference is that when using Docker without a namespace, the user id may not
> > +be the same as the default one set in the image.
> > +
> > +Say, we're using an image which sets up a default user with id 1000 and the
> > +current user calling the ``container`` tool has id 1234.  The kernel source
> > +tree was checked out by this same user so the files belong to user 1234.  With
> > +Podman, the container will be running as user id 1000 with a mapping to id 1234
> > +so that the files from the mounted volume appear to belong to id 1000 inside
> > +the container.  With Docker and no namespace, the container will be running
> > +with user id 1234 which can access the files in the volume but not in the user
> > +1000 home directory.  This shouldn't be an issue when running commands only in
> > +the kernel tree but it is worth highlighting here as it might matter for
> > +special corner cases.
> 
> This part of the docs explains why things are a bit different between
> Podman and Docker.  In both cases, it should "just work" from a user
> point of view - just with some special corner cases.  Let me know if
> you thing the documentation needs to be improved.

Ah, I had missed that on my skim through of the documentation plus I did
not have it side by side with the script while I was reviewing it.

> I may add a runtime check as a follow-up to detect if namespaces are
> enabled in Docker and if so use them, but to get started I wanted to
> keep things as simple as possible.

Yeah, I agree with keeping things simple up front.

Cheers,
Nathan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ