search

NERSC / podman-hpc

Other
34 stars 5 forks source link

Mounted filesystems not honoring group permissions from host #68

Open wholtz opened 1 year ago

wholtz commented 1 year ago 
wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ groups
wjholtz genome m342 m1541 openmsi gentech gtrnd metatlas c_pasteur m2650 spin-restricted rancher2_user c_msdata
wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ ls -ld rna-count
drwxr-s--- 9 dapeters m342 16384 Apr 13 10:14 rna-count
wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ ls -1 rna-count/ | wc -l
6
wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ podman-hpc run --rm -it --volume $(pwd):$(pwd) -w $(pwd) -u 0:0 docker.io/library/debian:bullseye-slim ls rna-count
ls: cannot open directory 'rna-count': Permission denied
wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ podman-hpc run --rm -it --volume $(pwd):$(pwd) -w $(pwd) docker.io/library/debian:bullseye-slim ls rna-count
ls: cannot open directory 'rna-count': Permission denied

I expected that my host group membership would determine what bind-mounted files I can access from within the container. But it appears that files need to be accessible on the host by my host uid or everyone.

nathanweeks commented 10 months ago

Have you tried adding an option like --userns=keep-id:gid=$(stat -c '%g' .) to map the user account in the container to the gid of the $(pwd) directory (or just hard-coding the gid instead of $(stat -c '%g' .))?

danfulton commented 10 months ago

Have you tried adding an option like --userns=keep-id:gid=$(stat -c '%g' .) to map the user account in the container to the gid of the $(pwd) directory (or just hard-coding the gid instead of $(stat -c '%g' .))?

Currently, this will not work. The ability to map file system groups into rootless user namespaces is dictated by the /etc/subgid configuration file, and this affects all container runtimes, not just podman-hpc. The --userns=keep-id setting specifies a specific mapping, but will only work when auxiliary groups are present in the /etc/subgid file.

We are currently looking at adding these entries to the config in the near future.

nathanweeks commented 10 months ago

Have you tried adding an option like --userns=keep-id:gid=$(stat -c '%g' .) to map the user account in the container to the gid of the $(pwd) directory (or just hard-coding the gid instead of $(stat -c '%g' .))?

Currently, this will not work. The ability to map file system groups into rootless user namespaces is dictated by the /etc/subgid configuration file, and this affects all container runtimes, not just podman-hpc. The --userns=keep-id setting specifies a specific mapping, but will only work when auxiliary groups are present in the /etc/subgid file.

We are currently looking at adding these entries to the config in the near future.

OK, I think I understand why I mistakenly thought --userns=keep-id:gid=$(stat -c '%g' .) would work: I was in a directory that was readable by "everyone". However, its parent directory had more-restrictive permissions, and not everyone could traverse through the parent directory---which I suppose could be a reasonable workaround for this issue in some cases.