Closed evankanderson closed 9 months ago
Podman on MAC currently does not support chowning the container, because it is built on PLAN9 file system for volume support. Podman is moving to Apple Native virtualization, hopefully in the next release 4.8. Which uses virtiofsd for its volumes, and I believe this supports chowning of files.
You can futz around with the --userns flag on podman to set the default user of the container to match your host user, which should eliminate the chown.
‐‐userns=mode
Set the user namespace mode for the container. It defaults to the PODMAN_USERNS environment variable. An empty value ("")
means user namespaces are disabled unless an explicit mapping is set with the ‐‐uidmap and ‐‐gidmap options.
This option is incompatible with ‐‐gidmap, ‐‐uidmap, ‐‐subuidname and ‐‐subgidname.
Rootless user ‐‐userns=Key mappings:
┌─────────────────────────┬───────────┬───────────────────────────────────┐
│ Key │ Host User │ Container User │
├─────────────────────────┼───────────┼───────────────────────────────────┤
│ "" │ $UID │ 0 (Default User account mapped to │
│ │ │ root user in container.) │
├─────────────────────────┼───────────┼───────────────────────────────────┤
│ keep‐id │ $UID │ $UID (Map user account to same │
│ │ │ UID within container.) │
├─────────────────────────┼───────────┼───────────────────────────────────┤
│ keep‐id:uid=200,gid=210 │ $UID │ 200:210 (Map user account to │
│ │ │ specified UID, GID value within │
│ │ │ container.) │
├─────────────────────────┼───────────┼───────────────────────────────────┤
│ auto │ $UID │ nil (Host User UID is not mapped │
│ │ │ into container.) │
├─────────────────────────┼───────────┼───────────────────────────────────┤
│ nomap │ $UID │ nil (Host User UID is not mapped │
│ │ │ into container.) │
└─────────────────────────┴───────────┴───────────────────────────────────┘
@baude WDYT?
A friendly reminder that this issue had no activity for 30 days.
This is not MacOS-only issue, I think I am able to reproduce on Fedora 40:
$ podman run -v $HOME/neo4j/data:/data --entrypoint /bin/bash neo4j:latest -c "ls -lad /data; whoami"
drwxr-xr-x. 1 root root 0 Dec 9 11:52 /data
root
$ docker run -v $HOME/neo4j/data:/data --entrypoint /bin/bash neo4j:latest -c "ls -lad /data; whoami"
drwxr-xr-x. 1 1000 1000 0 Dec 9 11:52 /data
root
podman info
Docker is running a rootful container, while Podman is running a rootless container. In both cases the actual UID of the data directory is 1000, But in the podman case you are runing within a user namespace with UID 1000 mapped to UID 0, which is why it looks like the file is owned by root.
To see the same behaviour as Docker, you could run
$ sudo podman run -v $HOME/neo4j/data:/data --entrypoint /bin/bash neo4j:latest -c "ls -lad /data; whoami"
If you ran Docker in rootless mode, you would see the same thing.
To play with User namespace try
$ podman unshare
You will see all of the files owned by UID 1000 are now listed as owned by root.
Take a look at my book Podman in Action for full description of User Namespace.
Issue Description
On MacOS (at least), volume mounts appear to be owned by
root
when running containers (such as neo4j) which run as a non-root user and attempt to create/chown files.With
podman
:With
docker
:Two differences I notice:
podman
directory is owned bynogroup
rather than byroot
.podman
directory listing has a differenttotal
number of entries (0 vs 4)Steps to reproduce the issue
Steps to reproduce the issue
(See the issue description)
podman run -v $HOME/neo4j/data:/data neo4j:latest
podman
, but succeeds on Docker DesktopDescribe the results you received
Running under
podman
:Describe the results you expected
Running under
docker
:podman info output