Skip to content

create: Support --userns=keep-id:size= #1667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

create: Support --userns=keep-id:size= #1667

wants to merge 1 commit into from
+21 −0

Conversation

Jookia
Copy link

@Jookia Jookia commented Jan 23, 2025

Currently distrobox will reserve all subuids/subgids available. This has the unfortunate effect of blocking other containers from running that require their own set of subuids/subgids.

podman has added a feature that lets us restrict the amount of subuids/subgids we request. If available, set the amount to 65536 which is the standard amount needed for a typical Linux single container.

This breaks the ability to run nested containers.

To use this feature you must compile and run the git version of podman. Without it this happens with regular distrobox use:

$ podman run --rm -it --userns=auto archlinux /bin/echo "hello world"
hello world
$ distrobox create --image archlinux test1
...
$ podman run --rm -it --userns=auto archlinux /bin/echo "hello world"
Error: creating container storage: not enough unused IDs in user namespace
$ distrobox rm test1
...
$ podman run --rm -it --userns=auto archlinux /bin/echo "hello world"
hello world

An alternative solution to this could be an option flag to allow specifying the userns type and flags.

89luca89
89luca89 approved these changes Aug 24, 2025
View reviewed changes
Copy link
Owner

@89luca89 89luca89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Jookia seems like an interesting addition!

89luca89
89luca89 requested changes Aug 24, 2025
View reviewed changes
Copy link
Owner

@89luca89 89luca89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This breaks the ability to run nested containers.

I'm not really super-concerned about this, but maybe we want to propagate this change in the docs?
Currently there are a couple of tips on how to run podman/docker inside a distrobox, we might want to update those if this breaks the compatibility
and maybe have some env var thing (like: DBX_USERNS_NOLIMIT?) that bypasses this for needed cases

@Jookia
Copy link
Author

Jookia commented Aug 24, 2025

I think the right way is to ask for more UIDs for your container if you want to run nested podman. Maybe a way to specify that if you can't already would be good?

@89luca89
Copy link
Owner

I think the right way is to ask for more UIDs for your container if you want to run nested podman. Maybe a way to specify that if you can't already would be good?

I think we can simply skip this limit if explicitly set (eg via env variable at creation time), nested containers are quite a corner case, so I don't believe we want too much of an ergonomic solution (cli flags and such)
and I think limiting the space is the right default at the moment

I think adding this env variable check, plus updating the docs for nested containers needs, is enough

@Jookia
Copy link
Author

Jookia commented Aug 27, 2025

Yeah I can't figure out how to do this. Sorry.

@Jookia Jookia closed this Aug 27, 2025
@Jookia Jookia deleted the RFC_keepid_size branch August 27, 2025 17:49
@Jookia Jookia restored the RFC_keepid_size branch August 28, 2025 18:27
@Jookia
Copy link
Author

Jookia commented Aug 28, 2025

Oops, a bit premature to close this. Could you give me some concrete suggestions on how to implement this?

@Jookia Jookia reopened this Aug 28, 2025
@Jookia
create: Support --userns=keep-id:size=
409dcd0 
Currently distrobox will reserve all subuids/subgids available.
This has the unfortunate effect of blocking other containers from running
that require their own set of subuids/subgids.

podman has added a feature that lets us restrict the amount of
subuids/subgids we request. If available, set the amount to 65536 which
is the standard amount needed for a typical Linux single container.

Disable this by setting DBX_USERNS_NOLIMIT=1.

Signed-off-by: Jookia <[email protected]>
@Jookia Jookia requested a review from 89luca89 September 3, 2025 05:08
@Jookia
Copy link
Author

Jookia commented Sep 3, 2025

I have updated the PR to add a way to disable this using the suggest environment variable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@89luca89 89luca89 Awaiting requested review from 89luca89

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jookia @89luca89