the following kube file is used for a mariadb pod within a Centos 8 VM with podman version 4.3.1:
apiVersion: v1
kind: Pod
metadata:
annotations:
bind-mount-options:/home/myuser/mysql-data: Z
labels:
app: mariadb-local
name: MARIADB-local
spec:
containers:
- args:
- mariadbd
image: docker.io/library/mariadb:10.10
name: mariadb
ports:
- containerPort: 3306
hostPort: 3306
resources: {}
envFrom:
- configMapRef:
name: maria-local-config
securityContext:
capabilities:
drop:
- CAP_MKNOD
- CAP_NET_RAW
- CAP_AUDIT_WRITE
tty: true
volumeMounts:
- name: database-volume
mountPath: /var/lib/mysql
restartPolicy: Never
volumes:
- hostPath:
path: /home/myuser/mysql-data
type: Directory
name: database-volume
The file was generated from podman from a running pod and the mounting to the data directory was added. Within the original file there is another container with an application that is accessing the database but for local development I only need the database container.
If I try to start the pod it is not working as expected and I get the following error message:
Entrypoint script for MariaDB Server 1:10.10.3+maria~ubu2204 started.
find: ‘/var/lib/mysql/’: Permission denied
The file permissions on the host system are the following:
drwxrwxrwx. 7 100998 100998 4096 mysql-data
It seems that the volume mount is not working properly because of a permission problem. According to this documentation the pod should run as myuser with id 1000. But
podman top -l user,huser
gives me
USER HUSER
mysql 100998
How can I change the namespace to myuser in the pod file? That user is the owner of the directory and should have all the rights needed. I would expect that the HUSER would be the user that also started the pod (myuser) but that doesn't seem to be that case.
I can make the pod run if I use setenforce 0 but that should not be a permanent solution.
The simplest solution is to used a named volume rather than bind-mounting a host path. When you use a named volume, the volume inherits the ownership and permissions of the underlying mountpoint.
The following configuration runs without errors:
apiVersion: v1
kind: ConfigMap
metadata:
name: maria-local-config
data:
MARIADB_ROOT_PASSWORD: secret
---
apiVersion: v1
kind: Pod
metadata:
annotations:
bind-mount-options:/home/myuser/mysql-data: Z
labels:
app: mariadb-local
name: MARIADB-local
spec:
containers:
- args:
- mariadbd
image: docker.io/library/mariadb:10.10
name: mariadb
ports:
- containerPort: 3306
hostPort: 3306
resources: {}
envFrom:
- configMapRef:
name: maria-local-config
securityContext:
capabilities:
drop:
- CAP_MKNOD
- CAP_NET_RAW
- CAP_AUDIT_WRITE
tty: true
volumeMounts:
- name: database-volume
mountPath: /var/lib/mysql
restartPolicy: Never
volumes:
- name: database-volume
persistentVolumeClaim:
claimName: database-volume
The above manifests:
MARIADB-local
)-infra
container, and MARIADB-local-mariadb
)MARIADB-local-mariadb
pod with the values from the data
section of the maria-local-config
ConfigMap