On Wed, Sep 13, 2023 at 04:14:55PM +0100, Daniel P. Berrangé wrote:
On Wed, Sep 13, 2023 at 05:07:27PM +0200, Ján Tomko wrote:
> On a Tuesday in 2023, Daniel P. Berrangé wrote:
> > On Tue, Sep 12, 2023 at 04:05:04PM +0200, Ján Tomko wrote:
> > > On a Monday in 2023, Daniel P. Berrangé wrote:
> > > > I would expect libvirt to "do the right thing" and
automatically load
> > > > the /etc/subuid data for the current user and NOT require any extra
> > > > XML mapping to be set for unprivileged usage.
> > > >
> > >
> > > So, by default libvirt would assume that unprivileged
> > > accessmode='passthrough' means "use the whole range for my
user
> > > from /etc/subuid"?
> > >
> > > Podman treats /etc/subuid as a pool and chooses a 64K range that is
> > > (to its knowledge) unused. I'm undecided whether that would also be
> > > a reasonable option for a default.
> >
> > I thought podman simply used the entry that is in /etc/subuid
> > as is:
>
> D'oh. Right. By default it uses --userns=host, which behaves as you
> describe.
>
> What I described is --userns=auto behavior, suggested in the bug
> discussion:
>
https://bugzilla.redhat.com/show_bug.cgi?id=2034630#c8
What I'm also missing is understanding what component enforces that
you have grabbed a range that is actually present for your user
in /etc/subuid, as opposed to grabbing a range belonging to a
different user.
Something must enforce that otherwise it is a total free for all
and /etc/subuid is largely pointless.
Ah, virtiofsd is invoking newuidmap, which is a program with the
'setuid' capability flag set on its binary. This lets us do the
privileged /proc/uidmap setup on behalf of virtiofsd and validates
the /etc/subuid ranges.
I think libvirt could, by default, read /etc/subuid and pick a
64k range from it, if it had more than 64k available. In future
we could track the ranges to keep them unique per instance, but
for now even the simple picking is better than requiring a manua
user config every time.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|