search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.82k stars 2.42k forks source link

Count bind mount with overlay a folder that contains the overlay machinery (typically $HOME) #17932

Closed Romain-Geissler-1A closed 1 year ago

Romain-Geissler-1A commented 1 year ago

Issue Description

Hi,

I am trying basically to run images on a RHEL 9 machine, keeping my own user (so using --userns=keep-id, which for huge images brings issues like #16541 but that's another story), but I don't wish these images to modify my $HOME (while still having my existing $HOME files available). It seems the overlay machinery is unable to create an overlay when it the folder being bind mounted actually contains the internal podman storage files (so upper/lower/workdir/merged directories).

In other words, in a rootless configuration, this doesn't work:

[podman@11a9ab3e92cf ~]$ podman run -v "${HOME}:${HOME}:O" fedora
Error: OCI runtime error: crun: mount `/home/podman/.local/share/containers/storage/overlay-containers/f0cf1a3d50cd3a6ab58c81d98b69049b1cbc99e60ff2fce3c7e20f224cbb51d5/userdata/overlay/3517835219/merge` to `home/podman`: Invalid argument

But overlay bind-mounting any subfolder of $HOME which isn't doesn't contain ${HOME}/.local/share is fine. For example this works fine:

[podman@11a9ab3e92cf ~]$ podman run -v "${HOME}/.config:${HOME}/.config:O" fedora

I was wondering if this is expected ? In the end I would like to run something like:

podman run -t -i --rm --userns=keep-id -u "$(id -u)" -v "${HOME}:${HOME}:O" --pull=always some-internal-amadeus-image

and act "as if" my user inside the container was kind of the same than the user outside the container, but with no change of ${HOME} propagated back to my real ${HOME).

PS: I have heard about toolbox (https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/) but I didn't try yet and I don't know if it does more or less what I am trying to do directly with podman.

Cheers, Romain

Steps to reproduce the issue

Steps to reproduce the issue

  1. Run such a container using a non root user (and make sure your storage is the default one, inside $HOME): 
    [podman@11a9ab3e92cf ~]$ podman run -v "${HOME}:${HOME}:O" fedora

Describe the results you received

Error: OCI runtime error: crun: mount `/home/podman/.local/share/containers/storage/overlay-containers/f0cf1a3d50cd3a6ab58c81d98b69049b1cbc99e60ff2fce3c7e20f224cbb51d5/userdata/overlay/3517835219/merge` to `home/podman`: Invalid argument

Describe the results you expected

It should work without error.

podman info output

I tried the above in the `quay.io/podman/upstream` image started in `--privileged` mode. I also tried this on my RHEL 9 VM, which currently has podman 4.2.

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

Luap99 commented 1 year ago

@giuseppe PTAL

giuseppe commented 1 year ago

Yes that is expected, the kernel driver refuses to mount overlay if the mount is in the lowerdir.