Closed goshansp closed 10 months ago
Inching in on nonworking:
[minion@rpi03 ~]$ systemctl --user start zigbee2mqtt.service
[minion@rpi03 ~]$ podman exec -it zigbee2mqtt /bin/sh
/app # ls -lsatr /dev/ttyACM0
0 crw-rw---- 1 nobody nobody 188, 0 Dec 1 08:54 /dev/ttyACM0
working
[minion@rpi03 ~]$ podman exec -it zigbee2mqtt /bin/sh
/app # ls -lsatr /dev/ttyACM0
0 crw-rw---- 1 nobody nobody 188, 0 Dec 1 09:00 /dev/ttyACM0
They both look same ... why can it access one and not the other?
non-working (started from systemD/.container)
uid=0(root) gid=0(root) groups=65534(nobody),0(root)
working (started using podman run)
uid=0(root) gid=0(root) groups=65534(nobody),0(root)
Suspecting that run.oci.keep_original_groups=1
has different behaviours despite podman inspect
looking the same in both scenarios.
On other systems both scenarios work. The cause of this issue seems to be on the system side.
After a reboot it is working.
Issue Description
A container started using
podman run
will behave differently than when it's started with seemingly same parameters viasystemd/.container
. Background: I am passingrun.oci.keep_original_groups=1
and hence passing thedialout
group to the containers. When the container ist started fromsystemd/.container
it cannot access the shared device. If the container is started frompodman run
the device is accessible. Podman inspect seems to show no differences between the working and non-working scenario.Diff Inspect
The parameters have been compared using
podman inspect
on both the working.txtpodman run ...
and the nok.txt started fromsystemd/.container
. The resulting diff doesn't show an obvious difference to me:I fail to see any relevant difference between those two containers - one works, the other doesn't.
AutoRemove
before I manage to have a look around inside of it. How can we getAutoRemove=false
?--group-add keep-groups
and found thatAnnotation="run.oci.keep_original_groups=1"
in.container
is the equivalent. Leaving this here as a reference.systemd/.container
?Steps to reproduce the issue
Start a container that requires
keep_original_groups
with.container
file and try to access the device via said group.Describe the results you received
Error Message when starting via SystemD
Error: Error while opening serialport 'Error: Error: Permission denied, cannot open /dev/ttyACM0'
Describe the results you expected
Both the container started from
podman run
and.container/systemd
should behave the same way and get access to the device.podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
setenforce 0
to get SELinux out of the way.