kube generate/play restores the user namespace configuration #23249
Conversation
openshift-ci
bot
added
release-note
approved
|
looks like this doesn't work via remote |
giuseppe
force-pushed
the
play-kube-userns-fixes
branch
from
c801e6e to
1b539e2
Compare
openshift-ci
bot
added
the
do-not-merge/work-in-progress
giuseppe
force-pushed
the
play-kube-userns-fixes
branch
5 times, most recently
from
aca6d44 to
cac5914
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
| if is_rootless; then | ||
| grep -E -q "^$(id -un):" /etc/subuid || skip "no IDs allocated for current user" | ||
| else | ||
| grep -E -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'" |
There was a problem hiding this comment.
All theses tests are skipped in CI btw, seems there are lof of them so we likely should fix that for our CI setup to add the containers entry (not for this PR of course).
|
@containers/podman-maintainers PTAL |
it increases readability as it doesn't need the negation, and the first branch is shorter. Signed-off-by: Giuseppe Scrivano <[email protected]>
Signed-off-by: Giuseppe Scrivano <[email protected]>
The pod spec HostUsers boolean only specifies whether a user namespace is used or not. Hene, the podman specific annotation must have a higher precedence since it defines how the user namespace is created. Signed-off-by: Giuseppe Scrivano <[email protected]>
if there is an annotation that specifies the user namespace for the infra container, then make sure it is used for the entire pod. Signed-off-by: Giuseppe Scrivano <[email protected]>
currently there is no way to specify the mappings, so at least treat a private user namespace as "auto". Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
play-kube-userns-fixes
branch
from
cac5914 to
d8d8e93
Compare
github-actions
bot
added
the
kind/api-change
|
Cockpit tests failed for commit d8d8e9331fda63fc28bd4f3cffcd8216d47264ae. @martinpitt, @jelly, @mvollmer please check. |
Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
play-kube-userns-fixes
branch
from
d8d8e93 to
7b8a56b
Compare
|
Cockpit tests failed for commit 7b8a56b0bd954a7caa63ddaeacd37e17512ca9cc. @martinpitt, @jelly, @mvollmer please check. |
|
@thrix : Halp! Today we are getting a flood of failed stratis and podman test failures like this due to a broken shadow-utils. The broken 4.15.1-8.fc41 was unpushed last night and this update fixes it. But tmt machines are somehow stuck with the broken one. Can the image be refreshed or something similar? Why doesn't the upgrade pick up the new version from the tag repo? Thanks! @Luap99 FYI -- selinux/firewalld yesterday, shadow-utils today, argh rawhide |
|
@thrix: unping -- I'm able to hack around that on the client side, see cockpit-project/cockpit-podman#1801 . That should land within the next 30 mins or so, after that rawhide should go green again. |
|
Landed the shadow-utils b0rkage workaround. For the recent podman PRs where you care, please retry the rawhide failure. Thanks! |
validate that a "podman generate" and "podman play" cycle restores the specified user namespace. Signed-off-by: Giuseppe Scrivano <[email protected]>
giuseppe
force-pushed
the
play-kube-userns-fixes
branch
from
7b8a56b to
d9c2806
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, Luap99 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
stale-locking-app
bot
added
the
locked - please file new issue/PR
a few fixes to improve how "kube generate" and "kube apply" deal with user namespaces.
Now the yaml generated by "kube generate" stores the user namespace configuration for the pod, which is later used by "kube apply"
Closes: https://issues.redhat.com/browse/RHEL-13033
Does this PR introduce a user-facing change?