Closed lapseofreason closed 3 months ago
the container cannot run. You need to fix the permissions on the storage directory as you with chown.
An user in a user namespace doesn't gain the capability of accessing root owned directories.
@giuseppe Thanks for your reply!
What kind of permissions are you talking about? The user has access to the storage directory because he is member of the userdata
group and the permissions are set to g+rwx
. With his other group user
(his primary group) it works fine, even if the directory is owned by root
.
It also works if the parent directory is owned by the root user and group as long as there are o+rwx
permissions, so I don't see what the difference is there.
the rootless user loses access to its supplementary groups unless you specify --group-add=keep-groups
(be careful this is a crun-only feature)
I see, thanks for clarifying this, I was not aware of this.
I get a different error when I add this:
podman run --group-add userdata alpine ls
Error: looking up supplemental groups for container 4d965e2e15d9bc1bbff9cb2dc81d6cd8d9cc3fbf88639d116933665d33d8cc9e: Unable to find group userdata: no matching entries in group file
But I guess I need to check the docs what groupfile it is checking here, because /etc/group
has the group for the user.
Edit: Sorry, I figured it out, I need to use podman run --group-add keep-groups alpine ls
.
no, you need to use exactly --group-add=keep-groups
. keep-groups
has a specific meaning and it won't drop the current additional GIDs in the container (that means you cannot change groups inside the container to something else)
Running a container in rootless mode with podman fails if a parent directory is owned by a group that is not owned by the user or by the users main group.
For example, if the username is
user
with main groupuser
, then a directory with permissionsdrwxrwx---.
and ownershiproot userdata
as a parent path of the storage location leads to a failure to run any container, even ifuser
has the groupuserdata
.Steps to reproduce:
storage.conf
(in~/.config/containers/
:userdata
, adduser
to it and reboot.podman run alpine ls
Expected result:
The container is run successfully.
Actual result:
The following error is raised:
After running
chown root.user /tmp/podman-test/
, the container runs successfully.