How do you run an OCI container under a selected UID/GID?

Scott_T · September 18, 2024, 10:22pm

@stgraber how would I go about creating an OCI container that runs under a specified GID/UID? My use case is I have created an incus custom volume that is mounted to both the OCI container and a standard incus container. I can create usernames in the incus container, but it appears that the OCI container just runs docker under root.

stgraber · September 19, 2024, 8:12am

I’m not sure what you mean. Incus doesn’t run Docker at all for its OCI containers.

The containers run under LXC the exact same way system containers do.
Most application containers image don’t actively make use of users and just run the workload as root but that’s not something we can really do anything about on our end.

stgraber@castiana:~$ incus launch images:ubuntu/24.04 test-system
Launching test-system
stgraber@castiana:~$ incus launch docker:nginx test-oci
Launching test-oci
stgraber@castiana:~$ incus storage volume create default test-shared size=10GiB
Storage volume test-shared created
stgraber@castiana:~$ incus config device add test-system shared disk pool=default source=test-shared path=/shared
Device shared added to test-system
stgraber@castiana:~$ incus config device add test-oci shared disk pool=default source=test-shared path=/shared
Device shared added to test-oci
stgraber@castiana:~$ incus list test
+---------------+---------+-----------------------+-----------------------------------------------+-----------------+-----------+
|     NAME      |  STATE  |         IPV4          |                     IPV6                      |      TYPE       | SNAPSHOTS |
+---------------+---------+-----------------------+-----------------------------------------------+-----------------+-----------+
| test-oci      | RUNNING | 10.178.240.86 (eth0)  | fd42:8384:a6f8:63a0:216:3eff:fe7f:d6c8 (eth0) | CONTAINER       | 0         |
+---------------+---------+-----------------------+-----------------------------------------------+-----------------+-----------+
| test-system   | RUNNING | 10.178.240.140 (eth0) | fd42:8384:a6f8:63a0:216:3eff:fe65:d346 (eth0) | CONTAINER       | 0         |
+---------------+---------+-----------------------+-----------------------------------------------+-----------------+-----------+
stgraber@castiana:~$ incus exec test-system bash
root@test-system:~# touch /shared/foo
root@test-system:~# chown 1234:5678 /shared/foo 
root@test-system:~# ls -lh /shared/
total 512
-rw-r--r-- 1 1234 5678 0 Sep 19 08:11 foo
root@test-system:~# 
exit
stgraber@castiana:~$ incus exec test-oci bash
root@test-oci:~# ls -lh /shared/
total 512
-rw-r--r-- 1 1234 5678 0 Sep 19 08:11 foo
root@test-oci:~# 
exit
stgraber@castiana:~$