On Fri, 2020-01-03 at 13:15 +0200, Nikolai Merinov via Openembedded- core wrote: > Hi Alexander. > > I understand all of the concerns. Yes, it's possible to create a > regular user inside of containers (at least in case of the rootless > LXC and Docker containers), but this is a question of usability. > All existed Docker containers for a Yocto compilation (including tge > CROPS described at the yoctoproject wiki) tried to use same UID/GID > for files inside and outside of the container in order to allow to > work with files both inside and outside of container. > > In the case of the main container subsystems (Docker, OCI) same level > of a usability for rootless containers can be supported only if we > allow compilation from UID == 0 because users own UID mapped to 0 in > this containers. In order to support such configuration we, in any > case, should modify somehow contamination check, check for a root > user in the sanity.bbclass and disable root check from "mknod" module > in gnulib (used by coreutils). > > Will it be appropriate if we allow such regime of the compilation > with the following limitation: > 1. Allow compilation only from root user inside of the linux user > namespace (not a real root) > 2. Allow such compilation only if there is "native_root_user" feature > in DISTRO_FEATURES > 3. Each modified place will check this two conditions > > Will be such design appropriate compromise between safety and > usability?
The problem is this introduces a difference in how two different groups of people would use the system. A recipe built and tested in one system may fail in the other environment. This adds significant support overhead and a determinism problem. That worries me a lot more than any of the other issues... Cheers, Richard -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
