Re: [PATCH v2 2/2] Documentation: dev-tools: add container.rst page

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nathan Chancellor <nathan@kernel.org>
To: Guillaume Tucker <gtucker@gtucker.io>
Cc: "Miguel Ojeda" <ojeda@kernel.org>,
	"David Gow" <davidgow@google.com>,
	"Onur Özkan" <work@onurozkan.dev>,
	"Arnd Bergmann" <arnd@arndb.de>,
	linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org,
	linux-kbuild@vger.kernel.org,
	automated-testing@lists.yoctoproject.org,
	workflows@vger.kernel.org, llvm@lists.linux.dev
Subject: Re: [PATCH v2 2/2] Documentation: dev-tools: add container.rst page
Date: Tue, 30 Dec 2025 13:16:29 -0700	[thread overview]
Message-ID: <20251230201629.GB4062669@ax162> (raw)
In-Reply-To: <23c38222-ba4b-4728-8ad6-8bb02c5a2d3a@gtucker.io>

Hi Guillaume,

On Sun, Dec 21, 2025 at 09:13:33PM +0100, Guillaume Tucker wrote:
> On 18/12/2025 1:49 pm, Guillaume Tucker wrote:
> > +User IDs
> > +========
> > +
> > +This is an area where the behaviour will vary slightly depending on the
> > +container runtime.  The goal is to run commands as the user invoking the tool.
> > +With Podman, a namespace is created to map the current user id to a different
> > +one in the container (1000 by default).  With Docker, while this is also
> > +possible with recent versions it requires a special feature to be enabled in
> > +the daemon so it's not used here for simplicity.  Instead, the container is run
> > +with the current user id directly.  In both cases, this will provide the same
> > +file permissions for the kernel source tree mounted as a volume.  The only
> > +difference is that when using Docker without a namespace, the user id may not
> > +be the same as the default one set in the image.
> > +
> > +Say, we're using an image which sets up a default user with id 1000 and the
> > +current user calling the ``container`` tool has id 1234.  The kernel source
> > +tree was checked out by this same user so the files belong to user 1234.  With
> > +Podman, the container will be running as user id 1000 with a mapping to id 1234
> > +so that the files from the mounted volume appear to belong to id 1000 inside
> > +the container.  With Docker and no namespace, the container will be running
> > +with user id 1234 which can access the files in the volume but not in the user
> > +1000 home directory.  This shouldn't be an issue when running commands only in
> > +the kernel tree but it is worth highlighting here as it might matter for
> > +special corner cases.
> 
> This part of the docs explains why things are a bit different between
> Podman and Docker.  In both cases, it should "just work" from a user
> point of view - just with some special corner cases.  Let me know if
> you thing the documentation needs to be improved.

Ah, I had missed that on my skim through of the documentation plus I did
not have it side by side with the script while I was reviewing it.

> I may add a runtime check as a follow-up to detect if namespaces are
> enabled in Docker and if so use them, but to get started I wanted to
> keep things as simple as possible.

Yeah, I agree with keeping things simple up front.

Cheers,
Nathan

     prev parent reply	other threads:[~2025-12-30 20:16 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-18 12:49 [PATCH v2 0/2] scripts: introduce containerized builds Guillaume Tucker
2025-12-18 12:49 ` [PATCH v2 1/2] scripts: add tool to run " Guillaume Tucker
2025-12-19 21:27   ` Nathan Chancellor
2025-12-21 20:09     ` Guillaume Tucker
2025-12-30 20:23       ` Nathan Chancellor
2025-12-21 20:19   ` Guillaume Tucker
2025-12-22  3:30     ` Miguel Ojeda
2025-12-22  9:11       ` Guillaume Tucker
2025-12-22 16:12         ` Konstantin Ryabitsev
2025-12-18 12:49 ` [PATCH v2 2/2] Documentation: dev-tools: add container.rst page Guillaume Tucker
2025-12-21 20:13   ` Guillaume Tucker
2025-12-30 20:16     ` Nathan Chancellor [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251230201629.GB4062669@ax162 \
    --to=nathan@kernel.org \
    --cc=arnd@arndb.de \
    --cc=automated-testing@lists.yoctoproject.org \
    --cc=davidgow@google.com \
    --cc=gtucker@gtucker.io \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=work@onurozkan.dev \
    --cc=workflows@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.