{"id":18088996,"url":"https://github.com/eriksjolund/podman-map-uid-docs","last_synced_at":"2025-10-16T00:02:26.393Z","repository":{"id":195312667,"uuid":"692666081","full_name":"eriksjolund/podman-map-uid-docs","owner":"eriksjolund","description":"Documenation of how to map UIDs and GIDs with Podman","archived":false,"fork":false,"pushed_at":"2023-09-17T15:45:41.000Z","size":10,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-12T08:39:04.781Z","etag":null,"topics":["demo","documentation","ebpf","example","inspektor-gadget","podman"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eriksjolund.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-17T07:47:31.000Z","updated_at":"2023-09-17T11:45:21.000Z","dependencies_parsed_at":"2025-02-12T08:38:21.581Z","dependency_job_id":"974bc7ee-e916-48a7-9bd8-987447bf7cc0","html_url":"https://github.com/eriksjolund/podman-map-uid-docs","commit_stats":null,"previous_names":["eriksjolund/podman-map-uid-docs"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-map-uid-docs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-map-uid-docs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-map-uid-docs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-map-uid-docs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eriksjolund","download_url":"https://codeload.github.com/eriksjolund/podman-map-uid-docs/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247425537,"owners_count":20936971,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["demo","documentation","ebpf","example","inspektor-gadget","podman"],"created_at":"2024-10-31T17:42:33.498Z","updated_at":"2025-10-16T00:02:26.383Z","avatar_url":"https://github.com/eriksjolund.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# podman-map-uid-docs\n\nDocumentation of how to map UIDs and GIDs with Podman\n\n## Trace which UIDs and GIDs are used in a container with EBPF\n\nThe [documentation](https://hub.docker.com/_/nginx) for the\ncontainer image _docker.io/library/nginx_ mentions that the container\ndrops privileges for the worker processes to a user with UID 101 and GID 101. \n\nConclusions that can be made from that information:\n\n* The container needs to start running as root so that it has enough permissions to drop permissions. (`--user 0:0`)\n* To let the nginx worker processes create files on the host that are owned by the regular user on the host, add `--userns keep-id:uid=101,gid=101`. \n\nWhen using container images that drop privileges but where no detailed documentation is available,\nuse these debugging techniques to find out information about the container image:\n\n* Let the bind-mounted directory have permissive permissions (`chmod 777 dir`). After the container has run, check which file permissions a newly created file has. See example in [Podman troubleshooting tip](https://github.com/containers/podman/blob/main/troubleshooting.md#34-container-creates-a-file-that-is-not-owned-by-the-users-regular-uid).\n* Trace the use of UIDs and GIDs with the Linux kernel feature [EBPF](https://ebpf.io).\n\n### Example: trace open system calls in an Nginx container with Inspektor Gadget\n\nInspektor Gadget (https://github.com/inspektor-gadget/inspektor-gadget) is an eBPF tool and systems inspection framework.\n\nThe container image _ghcr.io/inspektor-gadget/ig_ needs to be run with `sudo podman run --privileged ...` \nThe container process has full access to the host which means that you need to trust that the container\ndoes not do anything harmful to your system. For security reasons you might want to perform this example\nin a Linux VM, for example [Fedora CoreOS](https://fedoraproject.org/coreos/download/?stream=stable) that has Podman pre-installed.\n\n1. Open two bash terminals in the VM.\n2. In terminal 1 run\n ```\n sudo podman run -d --rm --name nginxtest -p 127.0.0.1:8080:80 docker.io/library/nginx\n ```\n3. In terminal 1 run\n ```\n sudo systemctl start podman.socket\n ```\n4. In terminal 1 set the shell variable `dir` to the container directory for which open system calls should be traced\n ```\n dir=/usr/share/nginx/html\n ```\n (The shell variable name `dir` was arbitrarily chosen. The variable is used to make this tutorial easier to understand)\n5. In terminal 1 start the Inspektor Gadget container\n ```\n sudo podman run \\\n -ti \\\n --rm \\\n --privileged \\\n -v /run:/run \\\n -v /:/host \\\n -v /sys/kernel/debug:/sys/kernel/debug \\\n -v /sys/kernel/tracing:/sys/kernel/tracing \\\n -v /sys/fs/bpf:/sys/fs/bpf \\\n -v /run/podman/podman.sock:/run/podman/podman.sock \\\n ghcr.io/inspektor-gadget/ig \\\n trace open \\\n --containername nginxtest \\\n --filter \"fullPath:~$dir/.*\" \\\n --runtimes podman \\\n --full-path \\\n --output columns=uid,gid,fullPath\n ```\n An error message is printed in terminal 1\n ```\n ERRO[0000] cgroup enricher: failed to get cgroup paths on container 675597c2e3fc24ab3d20a1203212de58c09ab148b609b2bc32264e636235689d: cgroup path not found in /proc/PID/cgroup\n ```\n (TODO: investigate why the error message is shown)\n6. In terminal 2 run\n ```\n curl 127.0.0.1:8080\n ```\n The following text is printed to terminal 1\n ```\n UID GID FULLPATH \n 101 101 /usr/share/nginx/html/index.html\n ```\n\n\n__Side node 1__: In this example a regular expression was specified with `--filter` to filter out only `open()` system calls for paths beginning with _/usr/share/nginx/html_\n\n\nThe `--help` option provides information about how to specify a regular expression with the `--filter` option:\n\n```\n$ podman run --rm ghcr.io/inspektor-gadget/ig trace open --help | grep -A1 regular\n columnName:~value - matches, if the content of columnName matches the regular expression 'value'\n see [https://github.com/google/re2/wiki/Syntax] for more information on the syntax\n```\n\nFor more details about the regular expression syntax, see https://github.com/google/re2/wiki/Syntax\n\n__Side node 2__: To see only which UID/GID that are used, replace the end of the command\n\n```\n--output columns=uid,gid,fullPath \n```\nwith\n```\n--output columns=uid,gid | sort -u\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feriksjolund%2Fpodman-map-uid-docs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feriksjolund%2Fpodman-map-uid-docs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feriksjolund%2Fpodman-map-uid-docs/lists"}