Open wholtz opened 1 year ago
Have you tried adding an option like --userns=keep-id:gid=$(stat -c '%g' .)
to map the user account in the container to the gid of the $(pwd)
directory (or just hard-coding the gid instead of $(stat -c '%g' .)
)?
Have you tried adding an option like
--userns=keep-id:gid=$(stat -c '%g' .)
to map the user account in the container to the gid of the$(pwd)
directory (or just hard-coding the gid instead of$(stat -c '%g' .)
)?
Currently, this will not work. The ability to map file system groups into rootless user namespaces is dictated by the /etc/subgid
configuration file, and this affects all container runtimes, not just podman-hpc
. The --userns=keep-id
setting specifies a specific mapping, but will only work when auxiliary groups are present in the /etc/subgid
file.
We are currently looking at adding these entries to the config in the near future.
Have you tried adding an option like
--userns=keep-id:gid=$(stat -c '%g' .)
to map the user account in the container to the gid of the$(pwd)
directory (or just hard-coding the gid instead of$(stat -c '%g' .)
)?Currently, this will not work. The ability to map file system groups into rootless user namespaces is dictated by the
/etc/subgid
configuration file, and this affects all container runtimes, not justpodman-hpc
. The--userns=keep-id
setting specifies a specific mapping, but will only work when auxiliary groups are present in the/etc/subgid
file.We are currently looking at adding these entries to the config in the near future.
OK, I think I understand why I mistakenly thought --userns=keep-id:gid=$(stat -c '%g' .)
would work: I was in a directory that was readable by "everyone". However, its parent directory had more-restrictive permissions, and not everyone could traverse through the parent directory---which I suppose could be a reasonable workaround for this issue in some cases.
I expected that my host group membership would determine what bind-mounted files I can access from within the container. But it appears that files need to be accessible on the host by my host uid or everyone.