Gentoo Archives: gentoo-dev

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [RFC] Revisiting GLEP 81 (acct-*) policies (reviews, cross-distro syncing)
Date: Tue, 10 Dec 2019 12:27:00
Message-Id: 29e0b831-a578-c156-a442-9f4fe1d91a5e@gentoo.org
In Reply to: Re: [gentoo-dev] [RFC] Revisiting GLEP 81 (acct-*) policies (reviews, cross-distro syncing) by Rich Freeman
1 Hi,
2
3 On 2019-12-10 12:47, Rich Freeman wrote:
4 > Having UIDs chosen completely at random seems fairly non-optimal.
5 > Suppose you're building containers/etc and then bind-mounting in
6 > persistent storage (/var/lib/mysql and so on). Wouldn't it be nice if
7 > the default were that mysql would get the same UID on every build? I
8 > guess you could provide an initial /etc/passwd on every fresh build
9 > but it just seems like an extra step.
10
11 While this sounds like a valid problem we are going to address, this
12 sounds like an analysis without practical experience:
13
14 In practice you will *never* assume proper container <> host user
15 mapping. *Never*. If you do that, you are doing it wrong:
16
17 - Container sometimes switch base images. You won't notice that unless
18 you follow container provider very closely. But you are using container
19 because you are focused on containerized application, not the container
20 itself...
21
22 - Container start doing things differently. Again, you won't notice, see
23 above.
24
25 - Your host is maybe running some real services. You really don't want
26 that a container suddenly become able to access these services just
27 because container <> host mapping has match.
28
29 No, when you follow best practice you will always pass user/group or use
30 other available mapping solutions.
31
32 So while it sounds like a valid *goal*, in real world, it isn't.
33
34
35 --
36 Regards,
37 Thomas Deutschmann / Gentoo Linux Developer
38 C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies