search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.27k stars 2.37k forks source link

Overlay volume mounts always owned by root #9947

Closed leoluk closed 3 years ago

leoluk commented 3 years ago

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Volumes mounted as overlayfs are always mounted as root, regardless of uid mapping.

Steps to reproduce the issue:

podman run --rm -v ~/.config:/config:O --security-opt=label=user:unconfined_u --userns=keep-id fedora:33 ls -lisa /

Describe the results you received:

5997247 4 drwx------.  69 root   root   4096 Apr  6 11:02 config

Describe the results you expected:

4194313 4 drwx------.  69 leopold leopold 4096 Apr  6 09:31 config

When mounting the volume as ro instead of O, the permissions are as expected.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

(plain Fedora 33 defaults)

 ~ $ podman version
Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.15.8
Built:        Fri Feb 19 17:56:17 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

(plain Fedora 33 defaults)

 ~ $ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.19.4
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.26-1.fc33.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.26, commit: 777074ecdb5e883b9bec233f3630c5e7fa37d521'
  cpus: 24
  distribution:
    distribution: fedora
    version: "33"
  eventLogger: journald
  hostname: leowork
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.10.12-200.fc33.x86_64
  linkmode: dynamic
  memFree: 2308755456
  memTotal: 67360276480
  ociRuntime:
    name: crun
    package: crun-0.18-5.fc33.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.18
      commit: 808420efe3dc2b44d6db9f1a3fac8361dde42a95
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.9-1.fc33.x86_64
    version: |-
      slirp4netns version 1.1.9
      commit: 4e37ea557562e0d7a64dc636eff156f64927335e
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 2358222848
  swapTotal: 4294963200
  uptime: 1408h 22m 16.27s (Approximately 58.67 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/leopold/.config/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 0
    stopped: 4
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.4.0-1.fc33.x86_64
      Version: |-
        fusermount3 version: 3.9.3
        fuse-overlayfs: version 1.4
        FUSE library version 3.9.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/leopold/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 30
  runRoot: /run/user/1000
  volumePath: /home/leopold/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1613753777
  BuiltTime: Fri Feb 19 17:56:17 2021
  GitCommit: ""
  GoVersion: go1.15.8
  OsArch: linux/amd64
  Version: 3.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.0.1-1.fc33.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

No, only tested with the latest version in Fedora. 3.1.0 does not appear to be packaged yet.

Additional environment details (AWS, VirtualBox, physical, etc.):

github-actions[bot] commented 3 years ago

A friendly reminder that this issue had no activity for 30 days.