Closed flabatut closed 3 months ago
A friendly reminder that this issue had no activity for 30 days.
@umohnani8 or @ygalblum PTAL
For reference, problem solved, thanks to @rhatdan 's meaningful comment :)
Setting :U
option to volume's mounPath let podman know how to correlate userns's idmap and volume content's permission:
volumeMounts:
- name: "test"
mountPath: /test:U
Afterwards, problem is no longer reproducible, no post actions needed at host level to fixup content's ownership:
# podman exec -it test-test stat /test/readme.txt
File: /test/readme.txt
Size: 11 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 18607005 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2024-06-28 06:18:43.427719744 +0000
Modify: 2024-06-28 06:18:36.193222163 +0000
Change: 2024-06-28 06:18:36.661254353 +0000
# podman exec -it test-test cat /test/readme.txt
lorem ipsum
# podman exec -it test-test chmod 666 /test/readme.txt
# echo $?
0
# podman exec -it test-test chown root:root /test/readme.txt
# echo $?
0
Issue Description
I'm using
podman kube play
to create a pod and associated volume, made from a configmap (or a secret) resource. I run this pod, asroot
, using--userns=auto
mode. Whenever such volume is created:_data
folder is owned by one of the subordinate uid/gid tied withcontainers
account._data
, are owned byroot
, executingpodman
Whenever my volume is declared with restrictive permissions for
others
, usingdefaultMode
:I'm no longer able to consume volume's content from a container standpoint, lack of permissions prevent any access/modification.
Steps to reproduce the issue
run podman kube play:
podman volume inspect test
podman exec -it test-test cat /test/readme.txt cat: can't open '/test/readme.txt': Permission denied
podman exec -it test-test chmod 666 /test/readme.txt chmod: /test/readme.txt: Operation not permitted
podman exec -it test-test chown root:root /test/readme.txt chown: /test/readme.txt: Operation not permitted
Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
Yes
Additional environment details
running on raspberry pi4, no virtualization
Additional information
defaultMode
configureddefaultMode
not declared AND umask provides at least read access toothers
defaultMode
(https://github.com/containers/podman/issues/19313)--userns=auto
or--userns=auto:uidmapping=0:100000:65536,gidmapping=0:100000:65536