ZDDC
dfdd767536
When zddc-server runs inside a Kubernetes pod and shells out to `podman run`, the inner podman tries to set up its own user namespace via /usr/bin/newuidmap. The mapping fails inside the pod's namespace even with privileged: true: newuidmap: write to uid_map failed: Invalid argument Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1 Adding --userns=host to the inner `podman run` tells it to reuse the caller's user namespace instead of creating a new one — newuidmap isn't invoked. The chart already runs the pod privileged so reusing its userns adds no new privilege; --cap-drop=ALL + --network=none + --read-only + --tmpfs continue to isolate the inner container. On a bare-metal host invocation, --userns=host means "no userns remapping at all", which is the default for rootful podman and works identically to the prior behavior — the bitnest test setup and any laptop dev runs are unaffected. Smoke-tested locally with the exact flag set: pandoc/latex:latest in a --userns=host --read-only container produces valid HTML from `# Hello world` on stdin. |
||
|---|---|---|
| .. | ||
| apps | ||
| archive | ||
| auth | ||
| cache | ||
| config | ||
| convert | ||
| fs | ||
| handler | ||
| jsonschema | ||
| listing | ||
| policy | ||
| tlsutil | ||
| zddc | ||
| zipfs | ||