I am trying to run the Data Science JupyterLab in Podman and I am having trouble with the volume's permissions once mounted. I would like to persist all my notebooks on external storage so I do not lose my work if the container is lost.
The container requires running as a specific user (jovyan), but the files when mounted are owned by root:root. The only way I can get it to work is if I make everything with permissions 777.
ENVIRONMENT DETAILS:
The command I am using to launch the notebook is:
podman run -it -p 10000:8888 -v "${PWD}/lab-files":/home/jovyan/work docker.io/jupyter/scipy-notebook:lab-3.3.0
The following snippet shows the different user/group settings for files that are mounted versus created from within the container.
[bryon@uni-dev ~]$ podman exec -it e68aeabbdad5 /bin/bash
(base) jovyan@e68aeabbdad5:~$ id
uid=1000(jovyan) gid=100(users) groups=100(users)
(base) jovyan@e68aeabbdad5:~$ cd work
(base) jovyan@e68aeabbdad5:~/work$
(base) jovyan@e68aeabbdad5:~/work$ touch aaa
(base) jovyan@e68aeabbdad5:~/work$ ls -las
total 3612
4 drwxrwsrwx. 2 root root 4096 Mar 16 09:14 .
4 drwsrwsr-x 1 jovyan users 4096 Mar 16 08:06 ..
0 -rw-r--r-- 1 jovyan root 0 Mar 16 09:14 aaa
3604 -rw-rw-rw-. 1 root root 3689150 Mar 16 06:15 data1.csv
(base) jovyan@e68aeabbdad5:~/work$ exit
[bryon@uni-dev ~]$
Notice the file aaa. I set sgid on the host directory so all files created are in the group "bryon" (or root in the container).
The following snippet shows the file/directory info from the host:
[bryon@uni-dev lab-files]$ ls -las
total 3612
4 drwxrwsrwx. 2 bryon bryon 4096 Mar 16 20:14 .
4 drwx------. 17 bryon bryon 4096 Mar 16 18:57 ..
0 -rw-r--r-- 1 100999 bryon 0 Mar 16 20:14 aaa
3604 -rw-rw-rw-. 1 bryon bryon 3689150 Mar 16 17:15 data1.csv
[bryon@uni-dev lab-files]$
However, if I create a file from the Jupyter container and then edit it on the host the permissions are changed to root:root and I can no longer access it in Jupyter
Even trying to write this down is starting to get complex...
How should I set up Juypter with Podman so I can manage the file ownership and groups in a way that lets them be edited from outside the container and inside the container?
Podman now supports specifying the container UID and GID as options when using --keep-id. The functionality is currently not available in any released Podman version (only the main GitHub branch). See the PR https://github.com/containers/podman/pull/15389
It should now be possible to specify --keep-id with options for UID and GID, instead of using --uidmap and --gidmap. It is easier to specify the mapping by using --keep-id. (The command-line will be shorter).
With --uidmap and --gidmap it is possible to create a mapping from your regular user on the host to the jupyter user and the users group in the container. Files created in the container by jupyter:users will be owned by your regular user on the host.
Here is a demo on a Fedora 35 computer with SELinux enabled:
In a Bash shell run these commands
mkdir lab-files
podman pull -q docker.io/jupyter/scipy-notebook:lab-3.3.0
uid=1000
gid=100
subuidSize=$(( $(podman info --format "{{ range .Host.IDMappings.UIDMap }}+{{.Size }}{{end }}" ) - 1 ))
subgidSize=$(( $(podman info --format "{{ range .Host.IDMappings.GIDMap }}+{{.Size }}{{end }}" ) - 1 ))
podman --log-level=debug run --rm --name test -it -p 10000:8888 \
-v "${PWD}/lab-files":/home/jovyan/work:Z --user $uid:$gid \
--uidmap $uid:0:1 --uidmap 0:1:$uid --uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid)) \
--gidmap $gid:0:1 --gidmap 0:1:$gid --gidmap $(($gid+1)):$(($gid+1)):$(($subgidSize-$gid)) \
docker.io/jupyter/scipy-notebook:lab-3.3.0
(In the command above the option --user $uid:$gid is used. Some containers want to start running as root and then change to be running as another UID. If that would be the case, use --user 0:0).
In another Bash shell
$ podman exec -ti test sh
(base) jovyan@9f214321a3af:~$ id
uid=1000(jovyan) gid=100(users) groups=100(users)
(base) jovyan@4fdb1502837d:~$ ls -ld .
drwxrwxr-x. 1 jovyan users 50 Apr 4 17:38 .
(base) jovyan@4fdb1502837d:~$ ls -ld work
drwxr-xr-x. 2 jovyan users 6 Apr 4 17:27 work
(base) jovyan@4fdb1502837d:~$ echo hello > work/file.txt
(base) jovyan@4fdb1502837d:~$ ls -l work/file.txt
-rw-r--r--. 1 jovyan users 6 Apr 4 17:39 work/file.txt
(base) jovyan@4fdb1502837d:~$ exit
exit
$ id
uid=1006(erik) gid=1006(erik) groups=1006(erik) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ls -l lab-files/
total 4
-rw-r--r--. 1 erik erik 6 Apr 4 20:39 file.txt
$
I wrote a troubleshooting tip about this in the Podman GitHub repository: https://github.com/containers/podman/blob/main/troubleshooting.md#34-passed-in-devices-or-files-cant-be-accessed-in-rootless-container-uidgid-mapping-problem