-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman 5.3.1 unable to mount volume with an idmap. #24918
Comments
I think the
Side note: Some problems can also be solved by using:
which is pretty similar to
I compared the two in this reddit comment https://www.reddit.com/r/podman/comments/1dcj84b/comment/l7zuu25/ |
as i mentioned in additional information sudo doesnt change anything. keep-id:uid=${uid}... isnt going to solve this. first off I want the user mapped to root as normal due to launching systemd. I just want the volume translated differently. I've also tried various forms of --userns and --uidmap/--gidmap nothing works. Im suspecting kernel misconfig or something atm |
OK, here is another idea:
|
Alright, so using the volume create generates new directories with specific uid/gids. which is fine (and works, see below). but doesn't address the idmap option not working. correct me if i'm wrong. the idmap option is suppose to allow remapping of uid/gids of the volume on the host to specific uid/gids within the container. i.e. idmap=uids=994-1000-1 should present any file/directory owned by uid 1000 on the host as 994 within the container. this is exactly what I'm looking for but looks like there is a bug in podman handling this mapping.
documentation for idmap:
|
spent some time playing with mount inside the container, feel like I'm clearly missing something here =)
|
on my computer all the overlay permissions look correct:
looks correct, 1000999 maps to uid 1000 which is ubuntu:
I touched a file as root in ubuntu's home and on my host it shows up correctly.
|
simplest reproduction i can make of the issue.
|
alright finally got something working, though it fails in interesting ways...:
definitely a bug somewhere in the mounting stack. there are actually a couple based on this:
|
In the example you used
In the following example I also get the error message
|
fair. im less concerned about the value too large error, which is essentially a 'no idea what to do with root uid/gid' it was just interesting edge case. the permission denied errors when trying to mount the volume on a rootless container is the problem. mounting shouldn't fail in rootful vs rootless context because of the idmap options. using the minimal example:
mounting the volume is clearly possible in the rootless context.
the idmap clearly is workable.
either the volume can be mounted or it cant. the mapping is either valid or it isnt. adding a idmap shouldn't suddenly choke. taking a look at mount_setattr there are 4 reasons for mount_setattr to return ENOPERM:
MOUNT_ATTR_NOATIME - I'm assuming this is unset. Defaults mean setting the idmap should fail this by default. due to NOSUID being set by default. but since it doesn't in the sudo case I'm guessing the sudo case prevents the flag from getting locked.
Im hoping this isnt the case.
also possible, but I'm guessing not the case due to sudo working.
this is possible and root would resolve this problem. Taking what we've learned: # ensuring my current user has the sys_admin capability.
± capsh --print | grep -i current
# output
# Current: cap_sys_admin=i
# Current IAB: cap_sys_admin
# ensuring podman has the sys_admin capability (purely for debugging this)
sudo setcap -r /usr/bin/podman
sudo setcap 'cap_sys_admin=ep' /usr/bin/podman
getcap /usr/bin/podman
# output: /usr/bin/podman cap_sys_admin=ep
# ensure both noexec, nosuid, and rdonly are not set and give the container the sys_admin cap just in case.
± podman run -it -v "$(pwd)/test:/opt/test:rw,exec,suid,idmap=uids=1000-1000-1;gids=1000-1000-1" --userns host --cap-add=sys_admin ubuntu:latest bash -c 'cat /proc/self/uid_map /proc/self/gid_map && ls -lha /opt/test'
# output: Error: crun: mount_setattr `/opt/test`: Operation not permitted: OCI permission denied tears think i'm going to jump over to crun and follow up there with this. |
As reported in containers#24918 and clarified in containers/crun#1632 (comment) Signed-off-by: Evstifeev Roman <[email protected]>
As reported in containers#24918 and clarified in containers/crun#1632 (comment) Signed-off-by: Evstifeev Roman <[email protected]>
PR to update documentation of the mount option: #25106 |
As reported in containers#24918 and clarified in containers/crun#1632 (comment) Signed-off-by: Evstifeev Roman <[email protected]>
As reported in containers#24918 and clarified in containers/crun#1632 (comment) Signed-off-by: Evstifeev Roman <[email protected]>
cool. but the kernel should support this. its baffling that it doesnt. |
Issue Description
Im unable to run a container with a volume mounted w/ the idmap option. My end goal is to have the volume be owned by the ubuntu user in the container instead of root.
I feel like this is pebcac. but I'm completely baffled atm.
Steps to reproduce the issue
in the container if i omit the --volume idmap.
$ ls -lha /opt
total 8.0K
drwxr-xr-x 2 root root 4.0K Nov 20 02:03 .
dr-xr-xr-x 18 root root 4.0K Dec 31 03:43 ..
$ id -u test
994
on the host
id -u other
1003
id -u me
1000
ls -lha test
total 16K
drwx------ 4 me me 4.0K Dec 30 17:41 .
drwx------ 4 me me 4.0K Dec 30 17:36 ..
-rw-r--r-- 1 me me 0 Dec 30 22:45 derp.txt
podman run --replace --name test --detach --volume "test:/opt/test:idmap=uids=0-1003-1#994-1000-1;gids=0-1003-1#994-1000-1" ubuntu-24-10 /usr/sbin/init
Describe the results you received
Error: crun: mount_setattr
/opt/test
: Operation not permitted: OCI permission deniedDescribe the results you expected
/opt/test to contain the contents of the test directory and be owned by user 994.
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
laptop =)
Additional information
--cap-add SYS_ADMIN, --privileged, sudo had no effect.
The text was updated successfully, but these errors were encountered: