Search code examples
podman

How can I solve a Permission denied error to a mounted volume when running a podman pod?


the following kube file is used for a mariadb pod within a Centos 8 VM with podman version 4.3.1:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    bind-mount-options:/home/myuser/mysql-data: Z
  labels:
    app: mariadb-local
  name: MARIADB-local
spec:

  containers:
    - args:
        - mariadbd
      image: docker.io/library/mariadb:10.10
      name: mariadb
      ports:
        - containerPort: 3306
          hostPort: 3306
      resources: {}
      envFrom:
        - configMapRef:
            name: maria-local-config
      securityContext:
        capabilities:
          drop:
            - CAP_MKNOD
            - CAP_NET_RAW
            - CAP_AUDIT_WRITE
      tty: true
      volumeMounts:
        - name: database-volume
          mountPath: /var/lib/mysql

  restartPolicy: Never

  volumes:
    - hostPath:
        path: /home/myuser/mysql-data
        type: Directory
      name: database-volume

The file was generated from podman from a running pod and the mounting to the data directory was added. Within the original file there is another container with an application that is accessing the database but for local development I only need the database container.

If I try to start the pod it is not working as expected and I get the following error message:

Entrypoint script for MariaDB Server 1:10.10.3+maria~ubu2204 started. 
find: ‘/var/lib/mysql/’: Permission denied

The file permissions on the host system are the following:

drwxrwxrwx. 7  100998  100998 4096  mysql-data

It seems that the volume mount is not working properly because of a permission problem. According to this documentation the pod should run as myuser with id 1000. But

podman top -l user,huser

gives me

USER        HUSER
mysql       100998

How can I change the namespace to myuser in the pod file? That user is the owner of the directory and should have all the rights needed. I would expect that the HUSER would be the user that also started the pod (myuser) but that doesn't seem to be that case.

I can make the pod run if I use setenforce 0 but that should not be a permanent solution.


Solution

  • The simplest solution is to used a named volume rather than bind-mounting a host path. When you use a named volume, the volume inherits the ownership and permissions of the underlying mountpoint.

    The following configuration runs without errors:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: maria-local-config
    data:
      MARIADB_ROOT_PASSWORD: secret
    ---
    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
        bind-mount-options:/home/myuser/mysql-data: Z
      labels:
        app: mariadb-local
      name: MARIADB-local
    spec:
    
      containers:
        - args:
            - mariadbd
          image: docker.io/library/mariadb:10.10
          name: mariadb
          ports:
            - containerPort: 3306
              hostPort: 3306
          resources: {}
          envFrom:
            - configMapRef:
                name: maria-local-config
          securityContext:
            capabilities:
              drop:
                - CAP_MKNOD
                - CAP_NET_RAW
                - CAP_AUDIT_WRITE
          tty: true
          volumeMounts:
            - name: database-volume
              mountPath: /var/lib/mysql
    
      restartPolicy: Never
    
      volumes:
        - name: database-volume
          persistentVolumeClaim:
            claimName: database-volume
    

    The above manifests:

    1. Create a pod (MARIADB-local)
    2. Create two containers (the -infra container, and MARIADB-local-mariadb)
    3. Populate the environment of the MARIADB-local-mariadb pod with the values from the data section of the maria-local-config ConfigMap