ilab-wrapper: Run podman with sudo #713
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rhatdan
reviewed
Aug 1, 2024
omertuc
force-pushed
the
sudo
branch
4 times, most recently
from
8d5fcf3 to
dc2d390
Compare
omertuc
requested review from
MichaelClifford,
sallyom,
lmilbaum,
cgwalters and
Gregory-Pereira
as code owners
rhatdan
reviewed
Aug 1, 2024
rhatdan
reviewed
Aug 1, 2024
training/ilab-wrapper/ilab
Outdated
| /etc/subuid) | ||
|
|
||
| # TODO: Handle multiple subuid ranges, for now, hard fail | ||
| if [[ $(echo "$CURRENT_USER_SUBUID_RANGE" | wc -l) != 1 ]]; then |
There was a problem hiding this comment.
$(wc -l <<< ${CURRENT_USER_SUBUID_RANGE})
There was a problem hiding this comment.
FYI this doesn't work because Here-Strings always have a newline appended to them
rhatdan
reviewed
Aug 1, 2024
training/ilab-wrapper/ilab
Outdated
| if [[ -z "$CURRENT_USER_SUBUID_RANGE" ]]; then | ||
| echo "No subuid range found for user $CURRENT_USER_NAME ($UID)" | ||
| else | ||
| echo "Multiple subuid ranges found for user $CURRENT_USER_NAME ($UID):" |
There was a problem hiding this comment.
Might want to use printf rather then echo.
There was a problem hiding this comment.
Similar to above this should go to stderr
There was a problem hiding this comment.
Any particular reason you think we should use printf?
There was a problem hiding this comment.
Makes writing multi line messages easier. But It is not a big deal.
rhatdan
reviewed
Aug 1, 2024
rhatdan
reviewed
Aug 1, 2024
| @@ -8,21 +8,54 @@ export ENTRYPOINT="/opt/python3.11/venv/bin/ilab" | |||
| export PARAMS=("$@") | |||
|
|
|||
| for dir in "$HOME/.cache" "$HOME/.config" "$HOME/.local"; do | |||
|
Needs rebase. |
# Background The ilab command is wrapped by an `ilab` script which launches ilab inside a podman container. # Issue Since the ilab container image is pulled during the bootc image build process using the root user, the image is not accessible to non-root users. # Solution We run the container as sudo in order to be able to access the root container storage. But for security reasons we map root UID 0 inside the container to the current user's UID (and all the other subuids to the user's /etc/subuid range) so that we're effectively running the container as the current user. # Additional changes Changed `"--env" "HOME"` to `"--env" "HOME=$HOME"` to pass the HOME environment variable from the current shell and not from the sudo environment. # Future work In the future, we will run podman as the current user, once we figure a reasonable way for the current user to access the root's user container storage Signed-off-by: Omer Tuchfeld <[email protected]>
|
Force pushed for rebase & resolving review comments |
|
LGTM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Solves RHELAI-740
Background
The ilab command is wrapped by an
ilabscript which launches ilab inside a podman container.Issue
Since the ilab container image is pulled during the bootc image build process using the root user, the image is not accessible to non-root users.
Solution
We run the container as sudo in order to be able to access the root container storage. But for security reasons we map root UID 0 inside the container to the current user's UID (and all the other subuids to the user's /etc/subuid range) so that we're effectively running the container as the current user.
Additional changes
Changed
"--env" "HOME"to"--env" "HOME=$HOME"to pass the HOME environment variable from the current shell and not from the sudo environment.Future work
In the future, we will run podman as the current user, once we figure a reasonable way for the current user to access the root's user container storage