Re: [gentoo-dev] [RFC] Revisiting GLEP 81 (acct-*) policies (reviews, cross-distro syncing)

[Rich Freeman <rich0@gentoo.org>]

On Tue, Dec 10, 2019 at 7:26 AM Thomas Deutschmann <whissi@gentoo.org> wrote:
>
> On 2019-12-10 12:47, Rich Freeman wrote:
> > Having UIDs chosen completely at random seems fairly non-optimal.
> > Suppose you're building containers/etc and then bind-mounting in
> > persistent storage (/var/lib/mysql and so on).  Wouldn't it be nice if
> > the default were that mysql would get the same UID on every build?  I
> > guess you could provide an initial /etc/passwd on every fresh build
> > but it just seems like an extra step.
>
> In practice you will *never* assume proper container <> host user
> mapping. *Never*. If you do that, you are doing it wrong:

I'm not talking about container-host mapping.  I'm talking about
building the same container 100 times and having the container end up
with the same UIDs inside each time.

Build order in portage isn't really deterministic, especially over
long periods of time, so you can't rely on stuff getting installed in
the same order.

> - Container sometimes switch base images. You won't notice that unless
> you follow container provider very closely. But you are using container
> because you are focused on containerized application, not the container
> itself...

I'm talking about Gentoo containers here that YOU are the one
building.  Not just doing "docker run foo."  Obviously if you're using
somebody else's images you're going to end up with whatever UIDs they
use.  Chances are they're from some distro that actually DOES manage
their UIDs so they'll still be stable over time unless the base image
changes as you say.

> - Your host is maybe running some real services. You really don't want
> that a container suddenly become able to access these services just
> because container <> host mapping has match.

Uh, the container processes shouldn't even see the host
processes/files whether they have the same UIDs or not...

-- 
Rich