Open JonahSussman opened 2 weeks ago
Adding a link related to some of the differences with permissions and root/rootless podman: https://www.tutorialworks.com/podman-rootless-volumes/
This post is likely to help as well: https://www.redhat.com/sysadmin/container-permission-denied-errors
I haven't had a chance to look at the links, but I'll just document what I've been doing:
I've been looking at running the containers individually, like
$ podman compose up kai_db
In one terminal and this beast in another
$ podman run -it -v "$(pwd):/podman_compose:z" --entrypoint /bin/bash --uidmap 1001:0:1 --uidmap 0:1:1000 --network=kai-jonah_default localhost/my_kai
(I can't figure out how to pass the uidmap arguments in podman compose)
It's doing... something alright. It's setting the owner of the /podman_compose directory to 1001 (the user in the container) in the container. But I'm still getting some weird errors with logs.
Adding the volume, specifically outlining logs with these flags, either doesn't work when booting or changes the owner to 1001 on the host machine too when running.
My hunch is that if we can get the user mapping right, then rootless podman should work.
I finally found a solution that works, but it's not ideal.
Rootless podman containers can run as any user id, which makes things tricky. If the user is root (uid 0) in the container, it gets mapped to your user on the host system. However, containers with other users (e.g. 123) will map to a uid on the host based on the subid offset range found in /etc/subuid
(e.g. 10123). ^1
Thus, this is what's happening:
podman compose up
as rootless podman.${PWD}/logs:/podman_compose/logs:rw,Z
passes the kai
directory to the container.root
inside the container.root
, so we get permission errors.podman unshare
The first solution I came up with is the simplest, but also the least ideal for extensibility. We can simply make the mapped user own the directory on the host with this command:
chown -R jonah:jonah logs
podman unshare -R 1001:0 logs
Podman unshare executes commands as the mapped user, setting the logs directory to be owned by user 1001. (Note, for some reason, the container's group id is 0, which is its own set of weirdness that I didn't dive into). podman compose up
works as expected.
This fixes the issue but also adds another layer of config that the end-user has to do. Plus, I'm not too sure if other containers can access the logs directory if we add more.
Open two terminals. In the first, run:
podman compose run kai_db
Wait for it to initialize, then in another terminal do:
[host] $ podman run -it -v "$(pwd):/podman_compose:z" --entrypoint /bin/bash --uidmap 1001:0:1 --uidmap 0:1:1000 --network=kai-jonah_default localhost/my_kai
[container] $ /usr/local/bin/entrypoint.sh
This also works. Something is going on with uid mapping that allows this to work. Unfortunately, I can't figure out how to pass this through into podman compose
. You can pass podman arguments to podman-compose
, ^3 but not to docker-compose
, which is most likely the default for most people.
There's something here about passing --userns
arguments instead ^4, but nothing seems to work.
This is expected behavior for podman when using rootless containers.. What you did with podman unshare is correct.
This is what happens when trying to run
compose up
for me. I thought using useZ
instead ofz
for the volumes in thecompose.yaml
fixed it, but that was a misnomer.I think that this is unrelated to SELinux, even though I'm running Fedora, as it's disabled on my machine: