Trying to mount nfs share into rootless container for user-data

[MagicTrevor]

I could use some guidance in regards to rootless podman and NFS shares to store user data only, not to run container images from.

I am probably grossly misunderstanding this, but I have an NFS share mounted in the host and am trying to mount that directory as a volume into a container and receive the following error:
Error: lsetxattr /mnt/mynfs/: operation not supported

-v /mnt/mynfs:/path/in/container:z

[rhatdan]

Don't add the :z. NFS directories sometimes do not support XATTRs. I think policy should allow this to work without the relabeling. NFS does support XATTRs but you need to configure the client and server to make it work.

https://www.thegeeksearch.com/how-to-configure-selinux-labeled-nfs-exports/

[rhatdan]

Great does not look like SELinux AVC messages about containers. Does the label=disable allow it to work?

[MagicTrevor]

It is mounted inside the container and the container root user can read/write but the actual app user cannot (since it's owned by root)

[rhatdan]

You would need to chown the file to match the user of the app
-v /SOURCE:/DEST:U might do what you need, this would tell Podman to chown the files to the correct permissions. Only problem would be NFS server would likely not allow a rootless user to chown the files.

Another option would be to setup group read/write on the files and then leak the group access into the container.

--group-add=keep-groups

[MagicTrevor]

I double checked the image and it never uses the USER to set www-data. Will those commands work in that case? Or is there a way to map that user to the podman user similar to root?

[MagicTrevor]

I added --group-add=keep-groups and I get this from id: uid=82(www-data) gid=82(www-data) groups=65534(nobody),65534(nobody),0(root). The directory still shows as owned by root.

Trying with -v /SOURCE:/DEST:U results in the following: Error: failed to chown recursively host path: lchown operation not permitted. I tried to sudo chown -R 100081:MyUser /SOURCE on the server side and that didn't seem to make a difference in the container for www-data either.

[rhatdan]

Since this is not an issue, I am moving it to a discussion.

[rhatdan]

If you become root on the system and then su to the UID used within the container, can you modify the content of /mnt/mynfs/? If this is owned by root then the permissions on the mynfs directory would need to be either world writable or group writable with the UID having membership in the group that can write to the directory.

[MagicTrevor]

I chmod'ed the mount on the system to 775 and the directory in the container appeared to be owned by www-data finally but the parent was still root:root so I re-chowned on the system itself to the 100081 user which fixed it in the container and now it can read and write! Thank you so much for the help!