First of all, thanks for this feature!
I'm now converting almost of my containers into unprivileged ones. But as i'm doing some kind of Docker-like separation of code and data on almost all services using a lot of mountpoints, i just felt some need to discuss things
Example:
I have some database containers, some webserver containers, ...
ZFS is providing the datasets for /var/lib/mysql and /var/www, which are then mount-pointed into the containers.
This way, the containers are (like in Docker) just instances of code running on persistent data.
I've tried an unprivileged container, setup the whole id mapping thing and things just worked.
Now the interesting question to me: How do i setup things globally on a machine and the cluster?
Creating mappings for each dataset?
Create just one generic id for all?
Editing is /etc/subuid and /etc/subgid is no real challenge using Ansible, Salt, whatever.
Small annoying thing is that you sometimes need the uid/gid before installing things. For example, MariaDB needs the mysql user have access on /var/lib/mysql. Therefore, i need to create the user in advance, get the id/gid, setup the id mapping thing and then install MariaDB. Works, but is a bit fiddly.
Ideas and discussion welcome!
I'm now converting almost of my containers into unprivileged ones. But as i'm doing some kind of Docker-like separation of code and data on almost all services using a lot of mountpoints, i just felt some need to discuss things
Example:
I have some database containers, some webserver containers, ...
ZFS is providing the datasets for /var/lib/mysql and /var/www, which are then mount-pointed into the containers.
This way, the containers are (like in Docker) just instances of code running on persistent data.
I've tried an unprivileged container, setup the whole id mapping thing and things just worked.
Now the interesting question to me: How do i setup things globally on a machine and the cluster?
Creating mappings for each dataset?
Create just one generic id for all?
Editing is /etc/subuid and /etc/subgid is no real challenge using Ansible, Salt, whatever.
Small annoying thing is that you sometimes need the uid/gid before installing things. For example, MariaDB needs the mysql user have access on /var/lib/mysql. Therefore, i need to create the user in advance, get the id/gid, setup the id mapping thing and then install MariaDB. Works, but is a bit fiddly.
Ideas and discussion welcome!
