Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow mapping auxiliary filesystem groups into rootless podman-hpc containers. #94

Open
danfulton opened this issue Oct 31, 2023 · 3 comments
Assignees

Comments

@danfulton
Copy link
Contributor

At NERSC, users would like to be able to map their collaboration groups, and access files owned by collaboration members into their containers. This is core functionality to work with collaboration-owned data, and required for podman-hpc to replicate the functionality of Shifter.

The fundamental configuration required to allow this is that the user must have access to their auxiliary filesystem group as a subordinate group ids listed in the /etc/subgid configuration file. This functionality is already supported by Podman, and therefore this is a "configuration and installation" issue, rather than a code change for Podman-HPC.

Even with this configuration, determining the correct id mapping scheme is still quite complicated for the user, and so we will likely want to enable or provide convenient tools to generate common id maps. We also need to provide site documentation for enabling this functionality at a multiuser HPC site.

@danfulton danfulton self-assigned this Oct 31, 2023
@lastephey
Copy link
Collaborator

@JBlaschke

@danfulton
Copy link
Contributor Author

Noteably, Podman provides some additional group mapping functionality when crun (as opposed to runc) is used as the backing OCI runtime. See for example https://docs.podman.io/en/latest/markdown/podman-run.1.html#group-add-group-keep-groups.

@danfulton
Copy link
Contributor Author

I've verified that when using crun and the keep-groups flag, that users can access collab or group owned files from inside container on Perlmutter. The default runtime on Perlmutter should be crun following the maintenance today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants