Hacker News new | ask | show | jobs
by NekkoDroid 145 days ago
nspawn containers aren't really any different to regular system images/archives other than they don't need a kernel.

I don't think the setting is exposed to regular service units (it might be able to in the future, I don't know) and I don't think podman has any integration with it.

What kinda service do you have where you need a full range of UIDs?
1 comments
plagiarist 145 days ago
I don't need a full range. I would just like to run podman under a non-root user using regular system services. Especially where a persistent volume or bind mount is involved.

Let's say Home Assistant. It would be nice to have a have some system user "homeassistant" with no home directory that owns the process and owns its /var/whereever/config.conf . It would be nice to have the isolation on host in addition to the isolation via container. But I don't want to be rebuilding any containers to get that, unless I am misunderstanding something on nsresourced.

I'd be really pleased with that setup. MQTT could be its own system user. And HA could depend on MQTT so I have nice startup behavior. Etc.

IDK how to have system users like this run a container without the subuid range. Even when I create the users with ranges in the file, there seems to be problems with informing systemd (as a non-root user) that the running process is different from the one it started.

link
NekkoDroid 145 days ago
podman quadlet doesn't seem to support running at a "system level" as a non-root user, at least according to their docs[0]. I assume they make some assumptions which wouldn't hold up if the user actually changed when running at a system level, dunno.

> But I don't want to be rebuilding any containers to get that, unless I am misunderstanding something on nsresourced.

Setting up the user namespace would be part of the container manager and not the containers themselves, so they shouldn't need any rebuilding or special handling (possibly the files might need to be shifted into the "foreign ID" range[1, 2], but I might be lying with this and this isn't necessary for this usecase) but the container manager needs to be specifically make use of nsresourced.

I really think currently the best option is to go with either systemd as your "container manager" (e.g. just regular system files with sandboxing or nspawn images or maybe systemd-portabled[3]) or podman as your container manager. As much as I too would love to mix them, I don't think it's the best idea (at least in the current state) and just go with what is more suited for the task (in your case it sounds like podman would be the most suited option).

> there seems to be problems with informing systemd (as a non-root user) that the running process is different from the one it started.

Yea, I don't think systemd likes double forking. The best option would be to keep the process that spawned your actual process alive until the child exists and just bubble up the exit code. There is the `PIDFile=` option with `Type=forking`, but I haven't used it, nor looked much into it.

[0]: https://docs.podman.io/en/v5.7.1/markdown/podman-systemd.uni...

[1]: https://www.freedesktop.org/software/systemd/man/latest/syst...

[2]: https://systemd.io/UIDS-GIDS/#special-systemd-uid-ranges

[3]: https://systemd.io/PORTABLE_SERVICES/

link