Open eriksjolund opened 6 days ago
On https://docs.podman.io/en/latest/markdown/podman-run.1.html under the section Options specific to bind and glob: there is the text
idmap: true or false (default if unspecified: false). If true, create an idmapped mount to the target user namespace in the container.
Here is the relevant markdown source:
The behaviour of podman run does not match the documentation. Instead podman run shows this behaviour
idmap
idmap=true
Steps to reproduce the issue
sudo -i
#!/bin/bash set -o errexit set -o nounset dir=$(mktemp -d) chmod 777 "$dir" option=$1 podman run --rm \ --userns auto \ --user 1000:1000 \ --mount "type=bind,source=${dir},destination=/vol,Z=true,${option}" \ docker.io/library/alpine touch /vol/file ls -ln "$dir/file"
bash test.bash idmap=true
The following output is printed
Error: unknown option "true"
bash test.bash idmap
-rw-r--r--. 1 1000 1000 0 Oct 12 21:09 /tmp/tmp.dRdruZ0jI3/file
Step 3 fails.
I would have expected Step 3 to succeed and print something similar to what is printed in Step 4.
host: arch: arm64 buildahVersion: 1.37.4 cgroupControllers: - cpuset - cpu - io - memory - pids - rdma - misc cgroupManager: systemd cgroupVersion: v2 conmon: package: conmon-2.1.12-3.fc41.aarch64 path: /usr/bin/conmon version: 'conmon version 2.1.12, commit: ' cpuUtilization: idlePercent: 99.17 systemPercent: 0.31 userPercent: 0.52 cpus: 2 databaseBackend: sqlite distribution: distribution: fedora variant: coreos version: "41" eventLogger: journald freeLocks: 2038 hostname: fcos-next5 idMappings: gidmap: null uidmap: null kernel: 6.11.2-300.fc41.aarch64 linkmode: dynamic logDriver: journald memFree: 974237696 memTotal: 4081143808 networkBackend: netavark networkBackendInfo: backend: netavark dns: package: aardvark-dns-1.12.2-2.fc41.aarch64 path: /usr/libexec/podman/aardvark-dns version: aardvark-dns 1.12.2 package: netavark-1.12.2-1.fc41.aarch64 path: /usr/libexec/podman/netavark version: netavark 1.12.2 ociRuntime: name: crun package: crun-1.17-1.fc41.aarch64 path: /usr/bin/crun version: |- crun version 1.17 commit: 000fa0d4eeed8938301f3bcf8206405315bc1017 rundir: /run/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL os: linux pasta: executable: /usr/bin/pasta package: passt-0^20240906.g6b38f07-1.fc41.aarch64 version: | pasta 0^20240906.g6b38f07-1.fc41.aarch64-pasta Copyright Red Hat GNU General Public License, version 2 or later <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. remoteSocket: exists: false path: /run/podman/podman.sock rootlessNetworkCmd: pasta security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: false seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: true serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.2.2-3.fc41.aarch64 version: |- slirp4netns version 1.2.2 commit: 0ee2d87523e906518d34a6b423271e4826f71faf libslirp: 4.8.0 SLIRP_CONFIG_VERSION_MAX: 5 libseccomp: 2.5.5 swapFree: 0 swapTotal: 0 uptime: 18h 17m 42.00s (Approximately 0.75 days) variant: v8 plugins: authorization: null log: - k8s-file - none - passthrough - journald network: - bridge - macvlan - ipvlan volume: - local registries: search: - registry.fedoraproject.org - registry.access.redhat.com - docker.io store: configFile: /usr/share/containers/storage.conf containerStore: number: 7 paused: 0 running: 3 stopped: 4 graphDriverName: overlay graphOptions: overlay.imagestore: /usr/lib/containers/storage overlay.mountopt: nodev,metacopy=on overlay.use_composefs: "false" graphRoot: /var/lib/containers/storage graphRootAllocated: 26238496768 graphRootUsed: 16407474176 graphStatus: Backing Filesystem: xfs Native Overlay Diff: "false" Supports d_type: "true" Supports shifting: "true" Supports volatile: "true" Using metacopy: "true" imageCopyTmpDir: /var/tmp imageStore: number: 34 runRoot: /run/containers/storage transientStore: false volumePath: /var/lib/containers/storage/volumes version: APIVersion: 5.2.4 Built: 1728259200 BuiltTime: Mon Oct 7 00:00:00 2024 GitCommit: "" GoVersion: go1.23.1 Os: linux OsArch: linux/arm64 Version: 5.2.4
No
Privileged
Yes
Fedora CoreOS 41.20241006.1.1
An example of this bug:
https://github.com/containers/podman/discussions/22535#discussion-6581853
it is a documentation issue, we need to fix the documentation to describe the podman behavior.
Would you mind opening a PR to fix it with what you've already found?
Ok, I'll give it a try.
Issue Description
On https://docs.podman.io/en/latest/markdown/podman-run.1.html under the section Options specific to bind and glob: there is the text
idmap: true or false (default if unspecified: false). If true, create an idmapped mount to the target user namespace in the container.
Here is the relevant markdown source:
The behaviour of podman run does not match the documentation. Instead podman run shows this behaviour
idmap
idmap=true
Steps to reproduce the issue
Steps to reproduce the issue
sudo -i
The following output is printed
The following output is printed
Describe the results you received
Step 3 fails.
Describe the results you expected
I would have expected Step 3 to succeed and print something similar to what is printed in Step 4.
podman info output
Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
Yes
Additional environment details
Fedora CoreOS 41.20241006.1.1
Additional information
An example of this bug:
https://github.com/containers/podman/discussions/22535#discussion-6581853