Hi Guillaume, On Sun, Dec 21, 2025 at 09:13:33PM +0100, Guillaume Tucker wrote: > On 18/12/2025 1:49 pm, Guillaume Tucker wrote: > > +User IDs > > +======== > > + > > +This is an area where the behaviour will vary slightly depending on the > > +container runtime. The goal is to run commands as the user invoking the > > tool. > > +With Podman, a namespace is created to map the current user id to a > > different > > +one in the container (1000 by default). With Docker, while this is also > > +possible with recent versions it requires a special feature to be enabled > > in > > +the daemon so it's not used here for simplicity. Instead, the container > > is run > > +with the current user id directly. In both cases, this will provide the > > same > > +file permissions for the kernel source tree mounted as a volume. The only > > +difference is that when using Docker without a namespace, the user id may > > not > > +be the same as the default one set in the image. > > + > > +Say, we're using an image which sets up a default user with id 1000 and the > > +current user calling the ``container`` tool has id 1234. The kernel source > > +tree was checked out by this same user so the files belong to user 1234. > > With > > +Podman, the container will be running as user id 1000 with a mapping to id > > 1234 > > +so that the files from the mounted volume appear to belong to id 1000 > > inside > > +the container. With Docker and no namespace, the container will be running > > +with user id 1234 which can access the files in the volume but not in the > > user > > +1000 home directory. This shouldn't be an issue when running commands > > only in > > +the kernel tree but it is worth highlighting here as it might matter for > > +special corner cases. > > This part of the docs explains why things are a bit different between > Podman and Docker. In both cases, it should "just work" from a user > point of view - just with some special corner cases. Let me know if > you thing the documentation needs to be improved.
Ah, I had missed that on my skim through of the documentation plus I did not have it side by side with the script while I was reviewing it. > I may add a runtime check as a follow-up to detect if namespaces are > enabled in Docker and if so use them, but to get started I wanted to > keep things as simple as possible. Yeah, I agree with keeping things simple up front. Cheers, Nathan
