From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 80CFB1FF137 for ; Tue, 03 Mar 2026 17:15:06 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7022B1D190; Tue, 3 Mar 2026 17:16:08 +0100 (CET) Date: Tue, 3 Mar 2026 17:16:03 +0100 From: Wolfgang Bumiller To: Filip Schauer Subject: Re: [PATCH container 7/8] implement per-mountpoint uid/gid mapping Message-ID: <3sazssdxkf3n42ngymn6ofht5mqsx5uemy2qvqfsxre3npjisp@juc3tsramsc3> References: <20260223130706.90972-1-f.schauer@proxmox.com> <20260223130706.90972-8-f.schauer@proxmox.com> <7qfxzacabicb4nqa7dd3lg4yxy5te2wd7kzbc5ygeztk5ttdik@4wqxerxngumw> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1772554538806 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.981 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.66 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.968 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.495 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 62VZE6ACM2IAJOGMXBRPGODJEFUQIE4M X-Message-ID-Hash: 62VZE6ACM2IAJOGMXBRPGODJEFUQIE4M X-MailFrom: w.bumiller@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: pve-devel@lists.proxmox.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue, Mar 03, 2026 at 02:59:11PM +0100, Filip Schauer wrote: > On 27/02/2026 16:33, Wolfgang Bumiller wrote: > > The pre-start hook gets a `$namespaces` hash passed as 3rd > > parameter, we can just open the user namespace fd there for this > > purpose. > > I just realized that this won't work. The pre-start hook cannot access > the container's user namespace, since the container's init process > wasn't even started yet. We could see if a `start-host` hook applying the idmapping after the fact could do the job, but I'm not a big fan of splitting the mounting into phases like this. > > We could however still reuse the container namespace when hot-plugging. Yeah, if we want to special case this. Other than that, we could at least cache the namespaces somewhere via bind mounts so we can reuse them in hotplugging, too, but that can be added as a follow up as well, since that's rather the exception, not the rule. For the regular setup code, simply caching the fds in a hash is enough.