help getting clarity on how userns mappings work

[flixman]

I am trying to run an alpine container with postfix. This is the Containerfile:

FROM alpine:3.21

RUN apk update && \
  apk add --no-cache \
    postfix=~{{ postfix.version }} \
    postfix-pcre=~{{ postfix.version }}

CMD ["postfix", "-v", "start-fg"]

After running it once (with a regular user), I see that postfix starts as UID 0 (root) to then switch to UID 100 (postfix), GID 101. When running it with "userns=host" it works, but when running it as "userns=keep-id:uid=100,gid=101" I am getting an error:

Jan 02 16:00:57 k3s systemd-postfix-postfix[54745]: postfix: error: to submit mail, use the Postfix sendmail command
Jan 02 16:00:57 k3s systemd-postfix-postfix[54745]: postfix: fatal: the postfix command is reserved for the superuser

My understanding from the documentation is that by using "userns=keep-id:uid=100,gid=101", podman would map my user (993:980) to that of the postfix user inside the container (100:101). But I am missing something because if this was the case... the application would not see anything different, right?

Considering I am using different users for different containers, how problematic is to use userns=host, besides the fact that the files created by the user 100 on the container will be owned by the corresponding subuid on the host?

[eriksjolund]

Does it work if you also pass --user 0:0
?

A general tip: when using --userns=keep-id:uid=100,gid=101 you also need to pass --user 0:0 if the container needs to be started as container user root.

test@localhost:~$ podman run --rm --userns=keep-id:uid=100,gid=101 docker.io/library/alpine id
uid=100(100) gid=101(101) groups=101(101)
test@localhost:~$ podman run --rm --user 0:0 --userns=keep-id:uid=100,gid=101 docker.io/library/alpine id
uid=0(root) gid=0(root) groups=101,0(root)
test@localhost:~$ 

[flixman]

@eriksjolund Thank you very much! yes, that makes it work! But why? How?

[eriksjolund]

But why? How?

I think --userns=keep-id:uid=100,gid=101 is trying to be helpful but in this case changing --user is not what we want.

I think it might be less confusing to use

--uidmap=+100:@$(id -u)  --gidmap=+101:@$(id -g) 

because those options do not change --user

[flixman]

Indeed, your suggestion works. A side question, though: I am running a pod with two containers, they are using different users to run the processes (the other is rspamd, using user 11333). Do you think is there any way to make these two play nice together, so that both users (100 in one container, and 11333 in the other) map to the same host user (993, in my example)?

[eriksjolund]

No, not when using a pod. The trick is to not use a pod. Try to use a custom network instead (podman network create mynet).

For more difficult cases, you might need to use
--group-add=keep-groups

[flixman]

ok, then I will go without the pod. Thank you!