Feature Description
It would be good if nydus-snapshotter advertises the remap-ids capability so that it can work properly with user namespaces in kubernetes.
This will require changes both here and in nydusd.
Problem and Use Case
When using user namespaces (ie, hostUsers: false in pod spec) in kubernetes, it has to use idmapping in order to get the file uids and gids to look correct inside the container. k8s chooses effectively random (or at least arbitrary) host UIDs to map the container's uids to. These arbitrary UIDs will usually not match whatever is in the container image, so a reverse layer of idmapping is needed to map back to the original uids. This requires filesystem and snapshotter support.
Right now, if you use nydus snapshotter in a k8s container with user namespaces (ie, hostUsers: false in the pod spec), k8s will request containerd to perform idmapping. Containerd, upon seeing that the snapshotter is not advertising remap-ids support, will do a slow workaround (which I haven't fully investigated) where it roughly creates a copy of the relevant image and chowns it to the correct permissions. This is very slow and defeats the purpose of using nydus.
Related issues
No response
Are you willing to submit PR?
Feature Description
It would be good if nydus-snapshotter advertises the
remap-idscapability so that it can work properly with user namespaces in kubernetes.This will require changes both here and in nydusd.
Problem and Use Case
When using user namespaces (ie,
hostUsers: falsein pod spec) in kubernetes, it has to use idmapping in order to get the file uids and gids to look correct inside the container. k8s chooses effectively random (or at least arbitrary) host UIDs to map the container's uids to. These arbitrary UIDs will usually not match whatever is in the container image, so a reverse layer of idmapping is needed to map back to the original uids. This requires filesystem and snapshotter support.Right now, if you use nydus snapshotter in a k8s container with user namespaces (ie,
hostUsers: falsein the pod spec), k8s will request containerd to perform idmapping. Containerd, upon seeing that the snapshotter is not advertisingremap-idssupport, will do a slow workaround (which I haven't fully investigated) where it roughly creates a copy of the relevant image and chowns it to the correct permissions. This is very slow and defeats the purpose of using nydus.Related issues
No response
Are you willing to submit PR?