Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos.users-groups: Set up subuid/subgid mappings for all normal users #86278

Merged
merged 2 commits into from Jul 13, 2020
Merged

nixos.users-groups: Set up subuid/subgid mappings for all normal users #86278

merged 2 commits into from Jul 13, 2020

Conversation

adisbladis
Copy link
Member

@adisbladis adisbladis commented Apr 29, 2020
edited

This is required by (among others) Podman to run containers in rootless mode.

Other distributions such as Fedora and Ubuntu already set up these mappings.

The scheme with a start UID/GID offset starting at 100000 and increasing in 65536 increments is copied from Fedora.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc @saschagrunert @vdemeester @zowoq @grahamc @alyssais

@grahamc
Copy link
Member

grahamc commented Apr 29, 2020

It looks like this change makes it impossible to set this up for non-normal users?

@adisbladis adisbladis marked this pull request as draft April 29, 2020 02:31
@saschagrunert
Copy link
Member

Podman 1.9.0 features experimental support for podman run --userns=auto, which automatically allocates a unique UID and GID range for the new container's user namespace. I think this also supported by the containers.conf format: https://github.com/containers/common/blob/e4f05461c7833dec2d42a2521f8f3e0fb9735e05/pkg/config/config.go#L169-L173

@adisbladis
Copy link
Member Author

It looks like this change makes it impossible to set this up for non-normal users?

No, that's handled here https://github.com/NixOS/nixpkgs/pull/86278/files#diff-60dbc601a44b1bbbcbf2c21e2e64b7c1R317-R325.
Setting subuids/subgids in a declarative fashion still works the same as before, regardless of isNormalUser.

@adisbladis adisbladis marked this pull request as ready for review April 29, 2020 10:29
@adisbladis
Copy link
Member Author

@GrahamcOfBorg test podman

@adisbladis adisbladis mentioned this pull request Apr 29, 2020
Closed
zimbatm
zimbatm reviewed May 19, 2020
View reviewed changes
nixos/modules/config/update-users-groups.pl
push @subGids, $value;
}

if($u->{isNormalUser}) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are system users never going to need subuid mapping? Maybe it's best if there is a new subuidMap attribute on the user that defaults to isNormalUser?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If they need it they can still set it up declaratively using the NixOS users module. This PR is about automatic allocation, which I think only makes sense for a normal user.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed that you could set the subUidRanges explicitly

@zowoq zowoq mentioned this pull request Jun 20, 2020
Merged
10 tasks
@zowoq
Copy link
Contributor

zowoq commented Jun 28, 2020

I've been using this for a while now with different configs without encountering any issues.

Probably be good to have this merged for 20.09 (first release with the containers/podman modules).

@arianvp
Copy link
Member

arianvp commented Jul 10, 2020

This sounds like it should be merged!

@adisbladis
nixos.users-groups: Set up subuid/subgid mappings for all normal users
5733967 
This is required by (among others) Podman to run containers in rootless mode.

Other distributions such as Fedora and Ubuntu already set up these mappings.

The scheme with a start UID/GID offset starting at 100000 and increasing in 65536 increments is copied from Fedora.
@adisbladis
nixos/doc/manual/release-notes: Add release notes for subuid/subgid m…
ce49f8c 
…appings
@adisbladis
Copy link
Member Author

adisbladis commented Jul 13, 2020
edited

I have rebased this and pushed a release note. Waiting for @GrahamcOfBorg to finish before merging.

@adisbladis adisbladis merged commit ceac51f into NixOS:master Jul 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zimbatm zimbatm zimbatm left review comments

@grahamc grahamc grahamc left review comments

Assignees
No one assigned
Labels
6.topic: nixos 8.has: changelog 8.has: documentation 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@adisbladis @grahamc @saschagrunert @zowoq @arianvp @zimbatm