Open wgordon17 opened 3 months ago
Don't use --userns keep-id
when running as root unless you know what this means. So I suggest you first try without that. I am not sure if that is related or now but it certainly does not help.
Thanks @Luap99! It's a consequence of just blindly following suggestions in the Troubleshooting Guide, https://github.com/containers/podman/blob/main/troubleshooting.md#2-cant-use-volume-mount-get-permission-denied π
I tried again without --userns keep-id
, and no difference in output π
what is in that directory. Any chance there are files with unusual permissions or possibly read-only content?
So, the host directory, DSM_TESTING
, is initially completely empty. It was created for the purpose of this container. I'm literally just running mkdir DSM_TESTING
right before I run the podman run
command.
Are you on a MAC and running sudo podman?
@rhatdan That is accurate π Just throwing everything to the wall to see what sticks Β―\_(γ)_/Β―
Most likely what is happening is a UID is attempting to be stored on the MAC that is not the users UID. Looks etc/shadow is the culprit.
Looking at the file directory when created by docker
, I'm seeing
---------- 1 wgordon staff 0B Jun 17 11:23 shadow
Which seems to be fine?
I did also attempt an explicit --userns keep-id:uid=501,gid=20
previously (where 501 matches UID wgordon
, and 20 matches GID staff
). I didn't make any difference Β―\_(γ)_/Β―
That means that nobody (not even the owner) has access to the file. Only a process with CAP_DAC_OVERRIDE on linux (or typically root) can access such a file. Podman machine always runs as user on the macos host so it would not have permissions to use such file on the host system I would assume. You can try to read/write this file as you macos user it will not work only as root it can work there.
Therefore I don't really see how this could work with podman machine. You could try it without a host mapped volume.
Could you try this with vfkit and virtiofsd, if you are continuing to use qemu for the podman machine?
Whatever you do inside the VM shouldn't matter, this can be trivially reproduced by just using podman machine ssh
, then change to a mounted volume, i.e. cd /Users/<username>/
.
core@localhost:/Users/paul$ touch test
core@localhost:/Users/paul$ chmod 0000 test
core@localhost:/Users/paul$ ls test
test
core@localhost:/Users/paul$ ls -l test
ls: test: Permission denied
----------. 1 core core 0 Jun 26 11:15 test
core@localhost:/Users/paul$ cat test
cat: test: Permission denied
core@localhost:/Users/paul$ sudo cat test
cat: test: Permission denied
Only on the macOS host you can successfully read/write the file with sudo. And because we launch the VM with user privs I don't assume the viriofs endpoint on the host is not run as root thus it logically cannot read such a file which means no one in the VM can use this file.
Only on the macOS host you can successfully read/write the file with sudo. And because we launch the VM with user privs I don't assume the viriofs endpoint on the host is not run as root thus it logically cannot read such a file which means no one in the VM can use this file.
Do you have any concrete suggestions on something I could do to overcome this issue? Or is using docker
my only solution for now?
Do not use a host volume mount point for the extraction.
Issue Description
I've read through everything in the Troubleshooting Guide to no avail π
I'm trying to launch a Virtual Synology DSM image, which uses some containerized virtual machine voodoo π by running Qemu in a container, and then using Qemu to manage the DSM VM. It certainly isn't pretty, but it works just fine with
Docker
.Steps to reproduce the issue
Steps to reproduce the issue
rootful
podman
mkdir DSM_TESTING
sudo podman run -it --rm -p 5001:5000 -p 2222:22 -v $PWD/DSM_TESTING:/storage:Z --userns keep-id --security-opt label=disable --privileged --cap-add NET_ADMIN -e ALLOCATE=N --stop-timeout 120 vdsm/virtual-dsm
Describe the results you received
This is the output of
podman
The specific error message seems to be coming from
tar: etc.defaults/shadow: Cannot open: Permission denied
Describe the results you expected
But everything succeeds with
docker
podman info output
Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
Yes
Additional environment details
Running on Apple M1 Pro, Sonoma 14.5
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting