summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2018-11-12 00:17:34 -0800
committerGitHub <noreply@github.com>2018-11-12 00:17:34 -0800
commitd5375b59aafbf50c862bfb5ff895d4575375f1e7 (patch)
treefda08bb58dadba3915e3c92d47419e9daa29358c
parent78e6d8e7d70d431ccf096dee0f8eadb1c9b2967b (diff)
parent542d8fe95f66c0a3aabb9d964c260a0b3b9aaae8 (diff)
downloadpodman-d5375b59aafbf50c862bfb5ff895d4575375f1e7.tar.gz
podman-d5375b59aafbf50c862bfb5ff895d4575375f1e7.tar.bz2
podman-d5375b59aafbf50c862bfb5ff895d4575375f1e7.zip
Merge pull request #1795 from rhatdan/user
Better document rootless containers
-rw-r--r--docs/podman.1.md9
-rw-r--r--pkg/rootless/rootless_linux.go3
2 files changed, 8 insertions, 4 deletions
diff --git a/docs/podman.1.md b/docs/podman.1.md
index c66a9cf05..b7433d850 100644
--- a/docs/podman.1.md
+++ b/docs/podman.1.md
@@ -192,7 +192,7 @@ the exit codes follow the `chroot` standard, see below:
When Podman runs in rootless mode, the file `$HOME/.config/containers/storage.conf` is also loaded.
## Rootless mode
-Podman can also be used as non-root user. When podman runs in rootless mode, an user namespace is automatically created.
+Podman can also be used as non-root user. When podman runs in rootless mode, a user namespace is automatically created for the user, defined in /etc/subuid and /etc/subgid.
Containers created by a non-root user are not visible to other users and are not seen or managed by podman running as root.
@@ -209,13 +209,14 @@ Or just add the content manually.
$ echo USERNAME:10000:65536 >> /etc/subuid
$ echo USERNAME:10000:65536 >> /etc/subgid
+See the `subuid(5)` and `subgid(5)` man pages for more information.
+
Images are pulled under `XDG_DATA_HOME` when specified, otherwise in the home directory of the user under `.local/share/containers/storage`.
-Currently it is not possible to create a network device, so rootless containers need to run in the host network namespace. If a rootless container creates a network namespace,
-then only the loopback device will be available.
+Currently the slirp4netns package is required to be installed to create a network device, otherwise rootless containers need to run in the network namespace of the host.
## SEE ALSO
-`containers-mounts.conf(5)`, `containers-registries.conf(5)`, `containers-storage.conf(5)`, `crio(8)`, `libpod.conf(5)`, `oci-hooks(5)`, `policy.json(5)`
+`containers-mounts.conf(5)`, `containers-registries.conf(5)`, `containers-storage.conf(5)`, `crio(8)`, `libpod.conf(5)`, `oci-hooks(5)`, `policy.json(5)`, `subuid(5)`, `subgid(5)`, `slirp4netns(1)`
## HISTORY
Dec 2016, Originally compiled by Dan Walsh <dwalsh@redhat.com>
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index 5c45f2694..ff8c8fe34 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -187,6 +187,9 @@ func BecomeRootInUserNS() (bool, int, error) {
if username == "" {
user, err := user.LookupId(fmt.Sprintf("%d", os.Getuid()))
if err != nil && os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" {
+ if os.IsNotExist(err) {
+ return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, see subuid/subgid man pages for information on these files")
+ }
return false, 0, errors.Wrapf(err, "could not find user by UID nor USER env was set")
}
if err == nil {