Mounting volumes to rootless container

[b3n3w]

Hi there,

we're currently switching completely from docker to podman and furthermore to rootless containers. However we having troubles to build, more especially, to test our services on jenkins with rootless podman.

In my Dockerfiles i create a new user with id 6000 and group id 6000, which is intended to run the service as rootless user afterwards. For this i install necessary packages as root and later on switch to the user and its working directory. So far so good.
When running the unit tests, i have to mount the source code directory to the container, which is owned by a different user (id 900).

How can i make sure that the inside user (6000) has full write permissions to the volume , without overriding the permissions of the hostsystem ?

i tried it already with:

• podman unshare chown -R 6000:6000 ./src -> results into overriding the permissions on host

• userns=keep-id -> new user inside of container can access the volume correctly, but doesn't have access to the installed packages for user 6000 defined in Dockerfile.

• root -> works but no. :)

Thanks for all your help !

Dockerfile example:

FROM centos:7

ARG USER_NAME=rootless
ARG GROUP_UID=60000
ARG USER_UID=60000
ENV PATH="/opt/rh/rh-redis5/root/usr/bin:/opt/conda/bin:/home/${USER_NAME}/.local/bin:${PATH}"\
    LD_LIBRARY_PATH="/usr/local/lib:${LD_LIBRARY_PATH}"

RUN yum -y update && \
    echo -e "[mongodb-org-4.4]\nname=MongoDB Repository\nbaseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.4/x86_64/\ngpgcheck=1\nenabled=1\ngpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc" > /etc/yum.repos.d/mongodb.repo && \
    yum -y install mongodb-org java-11-openjdk gcc gcc-c++ nc net-tools && \
    yum clean all && \
 	rm -rf /var/cache/yum && \
    mkdir -p /data/db && chmod 777 /data/db

RUN groupadd -o -g ${GROUP_UID} ${GROUP_NAME} && \
    mkdir -p /home/${USER_NAME} && \
    useradd -d /home/${USER_NAME} -o -l -u ${USER_UID} -s /bin/bash -g ${GROUP_UID} ${USER_NAME} && \
    usermod -aG ${GROUP_NAME} ${USER_NAME} && \
    usermod -aG mongod ${USER_NAME} && \
    usermod -aG redis ${USER_NAME} && \
    usermod -aG wheel ${USER_NAME} && \
    chown ${USER_UID}:${GROUP_UID} /home/${USER_NAME} && \

WORKDIR /home/${USER_NAME}

RUN curl -Ls https://repo.continuum.io/miniconda/Miniconda3-py37_4.10.3-Linux-x86_64.sh -o /tmp/miniconda.sh && \
    /bin/bash /tmp/miniconda.sh -b -p /opt/conda && \
    rm /tmp/miniconda.sh && \
    echo ". /opt/conda/etc/profile.d/conda.sh" >> /home/${USER_NAME}/.bashrc && \
    echo "conda activate base" >> /home/${USER_NAME}/.bashrc && \
    conda clean --all && \
    pip install -q --no-cache-dir --upgrade pip

RUN chown -R ${USER_NAME}:${GROUP_NAME} /opt/conda && \
    chmod -R g+x /opt/conda/bin


LABEL org.label-schema.name="${PROJECT_NAME}"

USER ${USER_NAME}

WORKDIR /app-test

COPY --chown=${USER_UID}:${GROUP_UID} entrypoint.sh /
RUN chmod +x /entrypoint.sh

COPY test_requirements.txt .

RUN pip install --user --upgrade pip && \
    pip install --user --no-warn-script-location -r test_requirements.txt

RUN source /home/${USER_NAME}/.bashrc && conda activate py38 && \
 	 python3.8 -mpip install --user --no-warn-script-location -r test_requirements.txt && \
 	 python3.8 -mpip install --user --force-reinstall mypy==0.942 && \
 	 python3.8 -mpip install --user types-PyYAML  && \
 	 python3.8 -mpip install --user types-requests  && \
 	 python3.8 -mpip install --user types-six  && \
 	 python3.8 -mpip install --user types-python-dateutil
     
RUN source /home/${USER_NAME}/.bashrc && conda activate pypy && \
 	pypy -mpip install --user --upgrade pip && \
 	pypy -mpip install --user --upgrade setuptools && \
 	grep -v -e '^mypy' -e '^#' -e '^[\sp]*$' test_requirements.txt | tr -d ' ' | \
 	xargs pypy -mpip install --user --no-warn-script-location

ENTRYPOINT ["/bin/sh", "/entrypoint.sh"]

podman run command:

  podman run -i --rm \
      --name "${PROJECT_NAME}-${NOW}" \
      --network host \
      -v "$(pwd)":/app-test:Z \
      -v "$(pwd)"/docker/make/entrypoint.sh:/entrypoint.sh:Z \
      "${MAKE_IMAGE_NAME}" "$@"

[eriksjolund]

If you want to map UID 900 on the host to the UID 6000 in the container, you could use --uidmap.
You might want to use --gidmap to map the GID values too.

There are two related tips in troubleshooting.md:

• https://github.com/containers/podman/blob/main/troubleshooting.md#33-container-creates-a-file-that-is-not-owned-by-the-users-regular-uid

• https://github.com/containers/podman/blob/main/troubleshooting.md#34-passed-in-devices-or-files-cant-be-accessed-in-rootless-container-uidgid-mapping-problem

(Both of them are just variations of the same problem)

Edit 1:

I assumed that UID 900 is either the UID of your regular user or one of the subordinate UIDs of your regular user on the host.
If that is not the case, you would need to give one of your UIDs (regular or subuids) write permissions with (setfacl or maybe chmod combined with a specific group). That would be needed in addition to the --uidmap tip above.

Edit 2:

I noticed that the Dockerfile contains the number 60000

ARG USER_UID=60000

but in the text there is a command using the number 6000

podman unshare chown -R 6000:6000 ./src

Those numbers differ (60000 > 6000).
Maybe a typo?

[b3n3w]

Hi,
thanks for the reply. I've tested your recommendations, but it didn't resolved the problem.
With uidmap and gidmap the container is running by a different id as the before defined uid 60000.
Therefore the user is not able to access multiple directories which are owned by the user id 60000 inside the container.

Yes i had an typo in the unshare command. But its still the same problem, the host user cannot access the files afterwards.

Here a simple example what i'am trying to do:

• create container by podman build
• run container with mounted volume $(pwd)
• run linting inside the container as user 60000 and store results to mounted volume path
• stop container
• access results from outside

[mheon]

Is UID/GID 60000 the user that is trying to run rootless Podman, or a separate/unrelated UID/GID? If it's the latter, this probably won't work. Podman only has access to the UID/GID of the user running Podman and a limited set of additional UIDs and GIDs granted by /etc/subuid and /etc/subgid - UIDs and GIDs not included in those two sources cannot be added to a rootless container.

[b3n3w]

Is UID/GID 60000 the user that is trying to run rootless Podman, or a separate/unrelated UID/GID? If it's the latter, this probably won't work. Podman only has access to the UID/GID of the user running Podman and a limited set of additional UIDs and GIDs granted by /etc/subuid and /etc/subgid - UIDs and GIDs not included in those two sources cannot be added to a rootless container.

Primarily i'm trying to run the everything inside the container by UID and GID 60000. This ID is defined and used inside the Dockerfile. As soon i want to mount a volume from the host machine, which is owned by the host user, the problem appears.
I found a kind of "workaround" by running the container with the parameters --userns=keep-id and -group-add $HOST_USER_GID and after that, giving the host user gid the correct permissions to the folder to mount.

But to be honest, this doesnt feel like a clean and correct solution...
Maybe i still missed something, but i tried almost everything of the recommendations

[rhatdan]

Did you try to mound with the :U option?