root
/
buildah
mirror of https://github.com/containers/buildah.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity
buildah/docs/buildah-unshare.1.md

67 lines
2.3 KiB
Markdown
Raw Normal View History

Help document using buildah mount in rootless mode Update man page to show example of using buildah mount in rootless mode. Also enhance buildah mount --help to explain the buildah unshare requirement. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1341 Approved by: TomSweeneyRedHat
2019-02-15 04:59:42 +08:00
# buildah-unshare "1" "June 2018" "buildah"
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan
2018-06-15 03:42:33 +08:00
## NAME
buildah\-unshare - Run a command inside of a modified user namespace.
## SYNOPSIS
docs: Follow man-pages(7) suggestions for SYNOPSIS man-pages(7) has [1]: > For commands, this shows the syntax of the command and its arguments > (including options); boldface is used for as-is text and italics are > used to indicate replaceable arguments. Brackets ([]) surround > optional arguments, vertical bars (|) separate choices, and ellipses > (...) can be repeated. I've adjusted our SYNOPSIS entries to match that formatting, and generally tried to make them more consistent with the precedent set by the man-pages project. Outside of the SYNOPSIS entry, I prefer using backticks for literals, although in some places I've left the ** bolding to keep things visually similar to a nearby SYNOPSIS entry. I've also simplified a few placeholders, e.g. "containerID" -> "container", because I didn't think the additional bit was providing much additional context. If there is ambiguity about the representation, it should be addressed in the DESCRIPTION instead of with an "ID" or "Name" suffix. [1]: http://man7.org/linux/man-pages/man7/man-pages.7.html Signed-off-by: W. Trevor King <wking@tremily.us> Closes: #839 Approved by: rhatdan
2018-06-30 03:39:36 +08:00
**buildah unshare** [*options*] [**--**] [*command*]
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan
2018-06-15 03:42:33 +08:00
## DESCRIPTION
Launches a process (by default, *$SHELL*) in a new user namespace. The user
namespace is configured so that the invoking user's UID and primary GID appear
to be UID 0 and GID 0, respectively. Any ranges which match that user and
group in /etc/subuid and /etc/subgid are also mapped in as themselves with the
help of the *newuidmap(1)* and *newgidmap(1)* helpers.
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
buildah unshare is useful for troubleshooting unprivileged operations and for
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan
2018-06-15 03:42:33 +08:00
manually clearing storage and other data related to images and containers.
[CI:DOCS] Fix typos and improve language Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2022-01-26 04:55:55 +08:00
It is also useful if you want to use the `buildah mount` command. If an unprivileged user wants to mount and work with a container, then they need to execute
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
buildah unshare. Executing `buildah mount` fails for unprivileged users unless the user is running inside a `buildah unshare` session.
unshare: add a --mount flag Add a --mount flag to `buildah unshare`, so that the command it runs can have a container's root filesystem mounted, and the location where it's mounted provided in its environment. This is primarily aimed at cases where `buildah unshare` is used to run one-liner commands, as proper scripts can simply call `buildah mount` themselves. Users still have to be careful about quoting references to the environment if the command needs to be executed by a shell (for example, if it's run as `buildah unshare --mount foo sh -c 'ls $foo'`), so that the shell that's invoking `buildah unshare` doesn't try to expand the variable's value first. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2019-07-16 06:01:51 +08:00
## OPTIONS
[CI:DOCS] man pages: sort flags, and keep them that way Enforce alphabetical ordering of command-line options in man pages. Not as simple as with podman, because conventions are different. Reference: https://github.com/containers/podman/pull/13625 Signed-off-by: Ed Santiago <santiago@redhat.com>
2022-03-24 20:03:06 +08:00
bud: teach --platform to take a list Add a pkg/parse.PlatformsFromOptions() which understands a "variant" value as an optional third value in an OS/ARCH[/VARIANT] argument value, which accepts a comma-separated list of them, and which returns a list of platforms. Teach "from" and "pull" about the --platform option and add integration tests for them, warning if --platform was given multiple values. Add a define.BuildOptions.JobSemaphore which an imagebuildah executor will use in preference to one that it might allocate for itself. In main(), allocate a JobSemaphore if the number of jobs is not 0 (which we treat as "unlimited", and continue to allow executors to do). In addManifest(), take a lock on the manifest list's image ID so that we don't overwrite changes that another thread might be making while we're attempting to make changes to it. In main(), create an empty list if the list doesn't already exist before we start down this path, so that we don't get two threads trying to create that manifest list at the same time later on. Two processes could still try to create the same list twice, but it's an incremental improvement. Finally, if we've been given multiple platforms to build for, run their builds concurrently and gather up their results. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2021-06-22 22:52:49 +08:00
**--mount**, **-m** [*VARIABLE=]containerNameOrID*
unshare: add a --mount flag Add a --mount flag to `buildah unshare`, so that the command it runs can have a container's root filesystem mounted, and the location where it's mounted provided in its environment. This is primarily aimed at cases where `buildah unshare` is used to run one-liner commands, as proper scripts can simply call `buildah mount` themselves. Users still have to be careful about quoting references to the environment if the command needs to be executed by a shell (for example, if it's run as `buildah unshare --mount foo sh -c 'ls $foo'`), so that the shell that's invoking `buildah unshare` doesn't try to expand the variable's value first. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2019-07-16 06:01:51 +08:00
Mount the *containerNameOrID* container while running *command*, and set the
environment variable *VARIABLE* to the path of the mountpoint. If *VARIABLE*
is not specified, it defaults to *containerNameOrID*, which may not be a valid
name for an environment variable.
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan
2018-06-15 03:42:33 +08:00
## EXAMPLE
buildah unshare id
buildah unshare pwd
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
buildah unshare cat /proc/self/uid\_map /proc/self/gid\_map
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan
2018-06-15 03:42:33 +08:00
Switch references of /var/run -> /run Systemd is now complaining or mentioning /var/run as a legacy directory. It has been many years where /var/run is a symlink to /run on all most distributions, make the change to the default. Partial fix for https://github.com/containers/podman/issues/8369 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2020-12-18 19:37:59 +08:00
buildah unshare rm -fr $HOME/.local/share/containers/storage /run/user/\`id -u\`/run
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan
2018-06-15 03:42:33 +08:00
unshare: add a --mount flag Add a --mount flag to `buildah unshare`, so that the command it runs can have a container's root filesystem mounted, and the location where it's mounted provided in its environment. This is primarily aimed at cases where `buildah unshare` is used to run one-liner commands, as proper scripts can simply call `buildah mount` themselves. Users still have to be careful about quoting references to the environment if the command needs to be executed by a shell (for example, if it's run as `buildah unshare --mount foo sh -c 'ls $foo'`), so that the shell that's invoking `buildah unshare` doesn't try to expand the variable's value first. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2019-07-16 06:01:51 +08:00
buildah unshare --mount containerID sh -c 'cat ${containerID}/etc/os-release'
docs: add --setopt "*.countme=false" to dnf examples * Consistently use --releasever instead of --release in dnf examples * Remove trailing whitespace * Use --use-host-config --setopt "*.countme=false" when running dnf with an empty --installroot * Use Fedora 42 instead of Fedora 30 in examples * Block quote console examples in tutorials Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2025-06-10 22:33:20 +08:00
buildah unshare --mount root=containerID sh -c 'cat ${root}/etc/os-release'
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
docs: add --setopt "*.countme=false" to dnf examples * Consistently use --releasever instead of --release in dnf examples * Remove trailing whitespace * Use --use-host-config --setopt "*.countme=false" when running dnf with an empty --installroot * Use Fedora 42 instead of Fedora 30 in examples * Block quote console examples in tutorials Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2025-06-10 22:33:20 +08:00
If you want to use buildah with a 'mount' command then you can create a script that looks something like:
```console
cat > buildah-script.sh << _EOF
#!/bin/bash
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
ctr=$(buildah from scratch)
mnt=$(buildah mount $ctr)
docs: add --setopt "*.countme=false" to dnf examples * Consistently use --releasever instead of --release in dnf examples * Remove trailing whitespace * Use --use-host-config --setopt "*.countme=false" when running dnf with an empty --installroot * Use Fedora 42 instead of Fedora 30 in examples * Block quote console examples in tutorials Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2025-06-10 22:33:20 +08:00
dnf -y install --installroot=$mnt --use-host-config --setopt "*.countme=false" PACKAGES
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
dnf -y clean all --installroot=$mnt
buildah config --entrypoint="/bin/PACKAGE" --env "FOO=BAR" $ctr
Update unshare man page to fix script example The example showing how to use unshare to mount a volume was no longer working. Updated to make it work. Fixes: #2218 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
2020-03-14 05:41:38 +08:00
buildah commit $ctr imagename
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
buildah unmount $ctr
_EOF
docs: add --setopt "*.countme=false" to dnf examples * Consistently use --releasever instead of --release in dnf examples * Remove trailing whitespace * Use --use-host-config --setopt "*.countme=false" when running dnf with an empty --installroot * Use Fedora 42 instead of Fedora 30 in examples * Block quote console examples in tutorials Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2025-06-10 22:33:20 +08:00
chmod +x buildah-script.sh
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
```
Then execute it with:
docs: add --setopt "*.countme=false" to dnf examples * Consistently use --releasever instead of --release in dnf examples * Remove trailing whitespace * Use --use-host-config --setopt "*.countme=false" when running dnf with an empty --installroot * Use Fedora 42 instead of Fedora 30 in examples * Block quote console examples in tutorials Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
2025-06-10 22:33:20 +08:00
```console
buildah unshare ./buildah-script.sh
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
```
main: if unprivileged, reexec in a user namespace If our CLI is invoked as an unprivileged user (uid != 0), * create a namespace using our own UID and GID as "0" followed by the ranges matching our name and our primary group's name that we find in /etc/subuid and /etc/subgid (the latter by way of using newuidmap and newgidmap) * re-exec ourselves inside of that user namespace, prepending global CLI arguments that: * override the driver from storage.conf with "vfs" * override the storage root from storage.conf with a "containers/storage" subdirectory of $XDG_DATA_HOME, or $HOME/.local/share. * override the storage runroot from storage.conf with either "$XDG_RUNTIME_DIR/run" or "/var/run/user/$uid/run" * set default ID mapping settings to map all of the ranges matching our name and our primary group's name that we found in /etc/subuid and /etc/subgid * can still be overridden using the command line Add a "buildah unshare" CLI that will start an arbitrary command in the first namespace, so that manual cleanup of locations used by the second namespace will be possible. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #823 Approved by: rhatdan
2018-06-15 03:42:33 +08:00
## SEE ALSO
fix unshare option handling and documentation buildah unshare ls -l was blowing up. This is fixed by this PR. Also added more documentation on use cases of `buildah unshare` Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1375 Approved by: TomSweeneyRedHat
2019-02-27 23:29:09 +08:00
buildah(1), buildah-mount(1), namespaces(7), newuidmap(1), newgidmap(1), user\_namespaces(7)