New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos.users-groups: Set up subuid/subgid mappings for all normal users #86278
Conversation
It looks like this change makes it impossible to set this up for non-normal users? |
Podman 1.9.0 features experimental support for |
eda2fe6
to
03a5a8f
Compare
No, that's handled here https://github.com/NixOS/nixpkgs/pull/86278/files#diff-60dbc601a44b1bbbcbf2c21e2e64b7c1R317-R325. |
@GrahamcOfBorg test podman |
push @subGids, $value; | ||
} | ||
|
||
if($u->{isNormalUser}) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are system users never going to need subuid mapping? Maybe it's best if there is a new subuidMap
attribute on the user that defaults to isNormalUser
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If they need it they can still set it up declaratively using the NixOS users module. This PR is about automatic allocation, which I think only makes sense for a normal user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed that you could set the subUidRanges
explicitly
I've been using this for a while now with different configs without encountering any issues. Probably be good to have this merged for 20.09 (first release with the containers/podman modules). |
This sounds like it should be merged! |
This is required by (among others) Podman to run containers in rootless mode. Other distributions such as Fedora and Ubuntu already set up these mappings. The scheme with a start UID/GID offset starting at 100000 and increasing in 65536 increments is copied from Fedora.
03a5a8f
to
ce49f8c
Compare
I have rebased this and pushed a release note. Waiting for @GrahamcOfBorg to finish before merging. |
This is required by (among others) Podman to run containers in rootless mode.
Other distributions such as Fedora and Ubuntu already set up these mappings.
The scheme with a start UID/GID offset starting at 100000 and increasing in 65536 increments is copied from Fedora.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)cc @saschagrunert @vdemeester @zowoq @grahamc @alyssais