{"id":50451691,"url":"https://github.com/converged-computing/usernetes-identity","last_synced_at":"2026-06-01T00:30:33.249Z","repository":{"id":356361628,"uuid":"1229003823","full_name":"converged-computing/usernetes-identity","owner":"converged-computing","description":"Testing means to run Usernetes with ~2K ids using fuse and seccomp","archived":false,"fork":false,"pushed_at":"2026-05-22T12:07:54.000Z","size":40,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-22T14:00:19.069Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/converged-computing.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":"COPYRIGHT","agents":null,"dco":null,"cla":null}},"created_at":"2026-05-04T15:47:33.000Z","updated_at":"2026-05-04T15:48:11.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/converged-computing/usernetes-identity","commit_stats":null,"previous_names":["converged-computing/usernetes-identity"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/converged-computing/usernetes-identity","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/converged-computing%2Fusernetes-identity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/converged-computing%2Fusernetes-identity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/converged-computing%2Fusernetes-identity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/converged-computing%2Fusernetes-identity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/converged-computing","download_url":"https://codeload.github.com/converged-computing/usernetes-identity/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/converged-computing%2Fusernetes-identity/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33755369,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-01T00:30:27.557Z","updated_at":"2026-06-01T00:30:28.273Z","avatar_url":"https://github.com/converged-computing.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Usernetes Identity \n\n**A userspace Identity virtualization layer for HPC workloads.**\n\nDesigned for rootless container environments like Usernetes, this proxy allows containers to utilize the full 65,535 UID space while strictly confining host-side operations to a constrained UID pool (e.g., a 2,000 UID allocation). This is common practice for a multi-tenant HPC system. We cannot allocate the full range of identifiers to every user.\n\nIt achieves this through a \"Double Proxy\" architecture:\n\n1. **Filesystem Identity (FUSE):** A FUSE daemon that deterministically maps container UIDs to the host pool and persists the true UID in extended attributes (xattrs).\n2. **Process Identity (Seccomp):** A Seccomp-notify supervisor that intercepts identity syscalls (e.g., `getuid`) and spoofs the return values so HPC runtimes (like MPI) see the IDs they expect.\n\n## How does it work?\n\nWe map high UIDs ($0-65535$) into a small host pool ($1-1999$) using a stable hash. Node A and Node B will always map Container UID 500 to the exact same Host UID, preserving HPC fabric integrity without a centralized database. File ownership collisions are resolved by storing the original Container UID in `user.usernetes.uid`. We build with statically linked CGO (`libseccomp`) and pure-Go networking/user resolvers, ensuring it runs on any HPC node regardless of local `glibc` versions. Finally, the Seccomp supervisor validates PID lifecycles before responding to notifications to prevent PID-reuse attacks.\n\n\n## Prerequisites\n\n* **Linux Kernel:** 5.0+ (Required for Seccomp User Notifications).\n* **Build Dependencies:** Go 1.20+ and the `libseccomp` C headers.\n\n```bash\nsudo apt-get update \u0026\u0026 sudo apt-get install libseccomp-dev\n```\n\n## Building\n\nClone!\n\n```bash\ngit clone https://github.com/converged-computing/usernetes-identity\n```\n\nThen use the Makfile:\n\n```bash\nmake\n```\n\nNote: The `-tags netgo,osusergo` flag is important to bypass glibc's dynamic NSS dependencies. I think without that if we built and moved it we would have a problem. I have not yet tried building and deploying elsewhere (but maybe could).\n\n## Deployment (Control Plane)\n\nDeploying to a Usernetes node requires configuring both the container storage layer and the Kubelet. First, install the binary.\n\n```bash\nmkdir -p ~/.local/bin\ncp bin/usernetes-identity ~/.local/bin/usernetes-identity\nchmod 755 ~/.local/bin/usernetes-identity\n```\n\nTell the storage driver to use this proxy instead of standard fuse-overlayfs.\n\n```bash\nvim ~/.config/containers/storage.conf\n```\n```console\n[storage.options.overlay]\nmount_program = \"/home/your_user/.local/bin/usernetes-identity\"\nmountopt = \"nodev,nosuid\"\n```\n\nDeploy the Seccomp Profile. Usernetes applies Seccomp profiles via the Kubelet. Create the profile in Kubelet's rootless data directory.\n\n```console\nmkdir -p ~/.local/share/usernetes/kubelet/seccomp/\nvim ~/.local/share/usernetes/kubelet/seccomp/hpc-profile.json\nhpc-profile.json:\n```\n```console\n{\n    \"defaultAction\": \"SCMP_ACT_ALLOW\",\n    \"architectures\": [\"SCMP_ARCH_X86_64\"],\n    \"syscalls\": [\n        {\n            \"names\": [\"getuid\", \"geteuid\", \"getgid\", \"getegid\"],\n            \"action\": \"SCMP_ACT_NOTIFY\"\n        }\n    ]\n}\n```\n\nStart usernetes as you typically would. We assume the following user namespace mapping via build flags for the node:\n\n\n- 0:0:1 (Root is pinned)\n- 1:1:1999 (The 1,999 slot deterministic pool)\n- 65534:2000:2 (Nobody is pinned)\n\nAnd for a pod manifest, we need a seccomp profile:\n\n```yaml\napiVersion: v1\nkind: Pod\nmetadata:\n  name: hpc-workload\nspec:\n  securityContext:\n    seccompProfile:\n      type: Localhost\n      localhostProfile: hpc-profile.json\n  containers:\n  - name: hpc-app\n    image: my-registry/hpc-app:latest\n    command: [\"/bin/sh\", \"-c\"]\n    args: [\"id \u0026\u0026 mpirun ...\"]\n```\n\n## License\n\nHPCIC DevTools is distributed under the terms of the MIT license.\nAll new contributions must be made under this license.\n\nSee [LICENSE](https://github.com/converged-computing/cloud-select/blob/main/LICENSE),\n[COPYRIGHT](https://github.com/converged-computing/cloud-select/blob/main/COPYRIGHT), and\n[NOTICE](https://github.com/converged-computing/cloud-select/blob/main/NOTICE) for details.\n\nSPDX-License-Identifier: (MIT)\n\nLLNL-CODE- 842614","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconverged-computing%2Fusernetes-identity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fconverged-computing%2Fusernetes-identity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconverged-computing%2Fusernetes-identity/lists"}