Search code examples
permissionspodmanrootless

How to set mounted folder permission in podman

Abstract

When I mount a folder to my container and the path to the folder is not yet created on the client podman will create it for me. I can set the permissions for the mounted folder on my host machine to match it to the container-user, but the created path folders do not have the same permissions.

Steps to reproduce

For example lets assume in my image the home directory of the user ist empty. Then I will do on my host:

$ mkdir foo
$ podman unshare chown 1000:100 foo
$ podman run -v $PWD/foo:/home/myuser/bar/foo:z [...] some/image:latest

that will result on my container as:

~ # ls -la
drwxr-xr-t    3 root     root          4096 Jan 28 12:43 bar
~ # cd bar
~/bar # ls -la
drwxrwxr-x    2 1000     users         4096 Jan 28 12:42 foo
~/bar #
  • is this behavior intentional?
  • is there a way to tell podman to create the path with the same permissions as the destination folder?

I can imagine a work around, but it would be nice if I could tell it in the run command.

Use Case

In my case I try to run different jupyter notebooks as disposable container direct from docker.io. But I do want to share the user-settings. The user-settings folder is not present when the container mounts the volumes. So podman will create them, but as root. So the jupyter user cannot access the folders created by podman and will fail.

  • I could create a Buildfile from the images and create the folders in the buildphase. But I use different images all the time and I dont want to create a custom image for all my use cases.
  • I could mount the volume to the parent folder, but all kinds of different stuff gets stored there and I dont want to share this to all the different containers.
  • I could not dispose the containers after the initial boot, but I dont know when I want to reuse this container, if at all...
Solution

  • Maybe it is possible to map the jupyter user to your user with the --uidmap command-line option?

    (untested)

    $ mkdir foo
$ jupyterUID=1234  # Replace 1234 with the correct UID for the jupyter user
$ podman run -v $PWD/foo:/home/myuser/bar/foo:z [...] --uidmap=0:1:$jupyterUID --uidmap=$(expr $jupyterUID + 1):$(expr $jupyterUID + 1):$(expr 65536 - $jupyterUID - 1) --uidmap=${jupyterUID}:0:1 some/image:latest

    I think something like this is needed when the container starts as the container root user and then runs a program as another user. If that other user would write files in a bind-mounted directory, the files would be owned by your normal user on the host. I don't know, though, if that is the case with your Jupyter container image.

    Edit 4 April 2022

    A related Stackoverflow answer that I wrote: https://stackoverflow.com/a/71741794/757777

    I also wrote a troubleshooting tip about using --uidmap and --gidmap in the Podman troubleshooting guide.