dev_scripts: Map host user UID to container UID 1000

When we run our Dangerzone environments through dev_scripts/env.py, we use the Podman flag `--userns keep-id`. This option maps the UID in the host to the *same* UID in the container. This way, the container can access mounted files from the host. The reason this works is because the user within the container has UID 1000, and the user in the host *typically* has UID 1000 as well. This setup can break though if the user outside the host has a different UID. For instance, the UID of the GitHub actions user that runs our CI command is 1001. To fix this, we need to always map the host user UID (whatever that is) to container UID 1000. We can achieve this with the following mapping: 1000:0:1 # Map container UID 1000 to subordinate UID 0 # (sub UID 0 = owner of the user ns = host user UID) 0:1:1000 # Map container UIDs 0-999 to subordinate UIDs 1-1000 1001:1001:64536 # Map container UIDs 1001-65535 to subordinate UIDs 1001-65535 Refs #228
2025-04-28 18:02:38 +02:00 · 2023-05-03 16:04:34 +03:00 · 2023-05-03 16:04:34 +03:00 · 517d3b58f8
commit 517d3b58f8
parent 91f8f8b387
1 changed files with 17 additions and 1 deletions
--- a/dev_scripts/env.py
+++ b/dev_scripts/env.py
@ -311,7 +311,23 @@ class Env:
        # We need to retain our UID, because we are mounting the Dangerzone source to
        # the container.
        if self.runtime == "podman":
-            run_cmd += ["--userns", "keep-id"]
+            uidmaps = [
+                "--uidmap",
+                "1000:0:1",
+                "--uidmap",
+                "0:1:1000",
+                "--uidmap",
+                "1001:1001:64536",
+            ]
+            gidmaps = [
+                "--gidmap",
+                "1000:0:1",
+                "--gidmap",
+                "0:1:1000",
+                "--gidmap",
+                "1001:1001:64536",
+            ]
+            run_cmd += uidmaps + gidmaps

        # Compute container runtime arguments for GUI purposes.
        if gui: