lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <61379dc4-2031-4f94-9709-dd5608cdb780@gtucker.io>
Date: Thu, 22 Jan 2026 11:13:39 +0100
From: Guillaume Tucker <gtucker@...cker.io>
To: Nicolas Schier <nsc@...nel.org>
Cc: Nathan Chancellor <nathan@...nel.org>, Miguel Ojeda <ojeda@...nel.org>,
 David Gow <davidgow@...gle.com>, Onur Özkan
 <work@...rozkan.dev>, Arnd Bergmann <arnd@...db.de>,
 linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org,
 linux-kbuild@...r.kernel.org, automated-testing@...ts.yoctoproject.org,
 workflows@...r.kernel.org, llvm@...ts.linux.dev
Subject: Re: [PATCH v3 2/2] Documentation: dev-tools: add container.rst page

Hi Nicolas,

On 20/01/2026 2:53 pm, Nicolas Schier wrote:
>> +User IDs
>> +========
>> +
>> +This is an area where the behaviour will vary slightly depending on the
>> +container runtime.  The goal is to run commands as the user invoking the tool.
>> +With Podman, a namespace is created to map the current user id to a different
>> +one in the container (1000 by default).  With Docker, while this is also
>> +possible with recent versions it requires a special feature to be enabled in
>> +the daemon so it's not used here for simplicity.  Instead, the container is run
>> +with the current user id directly.  In both cases, this will provide the same
>> +file permissions for the kernel source tree mounted as a volume.  The only
>> +difference is that when using Docker without a namespace, the user id may not
>> +be the same as the default one set in the image.
>> +
>> +Say, we're using an image which sets up a default user with id 1000 and the
>> +current user calling the ``container`` tool has id 1234.  The kernel source
>> +tree was checked out by this same user so the files belong to user 1234.  With
>> +Podman, the container will be running as user id 1000 with a mapping to id 1234
>> +so that the files from the mounted volume appear to belong to id 1000 inside
>> +the container.  With Docker and no namespace, the container will be running
>> +with user id 1234 which can access the files in the volume but not in the user
>> +1000 home directory.  This shouldn't be an issue when running commands only in
>> +the kernel tree but it is worth highlighting here as it might matter for
>> +special corner cases.
> I tested a tiny bit with podman as runtime backend.  If I leave out the
> '-r podman' podman's docker emulation is in effect and fails with:
> 
>      $ scripts/container -i docker.io/tuxmake/korg-clang -- make LLVM=1 -j8 olddefconfig
>      Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
>      mkdir: cannot create directory '.tmp_15': Permission denied
>      mkdir: cannot create directory '.tmp_19': Permission denied
>      mkdir: cannot create directory '.tmp_22': Permission denied
>      mkdir: cannot create directory '.tmp_25': Permission denied
>      mkdir: cannot create directory '.tmp_28': Permission denied
>      mkdir: cannot create directory '.tmp_31': Permission denied
>        HOSTCC  scripts/basic/fixdep
>      error: error opening 'scripts/basic/.fixdep.d': Permission denied
>      1 error generated.
>      make[2]: *** [scripts/Makefile.host:114: scripts/basic/fixdep] Error 1
>      make[1]: *** [/src/Makefile:655: scripts_basic] Error 2
>      make: *** [Makefile:248: __sub-make] Error 2
>      [exit code 2]
> 
> But with '-r podman' it works like a charm.
> 
> Would it make sense to switch the default runtime to podman to
> prevent non-functional podman-docker emulation?  (Or is this just a
> problem on my machine?)

Yes, I just had a quick look as I'm not familiar with the setup to
run Docker commands on top of the Podman backend.  So I'll swap the
order like Nathan suggested so that Podman takes priority over Docker
and add a note to the docs.  It's on the list of improvements and
I'll work on a proper fix once the initial version of the tool has
landed, assuming this is not a blocking issue.

Thanks for trying it out and reporting this use case.

Cheers,
Guillaume

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ