UID & GID mapping in configuration doesn't work in Podman

[darkcharmander]

Hello everyone,

I'm trying to get this image to run with Podman (with 'play kube'): this means that I'm storing my container configuration in a .yml file instead of directly running via cmd. I believe people sometimes call this k8 config files.

After some fiddling I got the container up and running, and I'm able to create/delete files! Well, what's the problem then? The problem is that Podman maps user IDs in containers to something random for security purposes. This is a problem, because the User ID that I've choosen in the configuration file, is ignored. Files now get random UIDs as owners, which is troublesome.

I've tried running Podman like this, but that just seems to destroy everything: podman play kube --annotation io.podman.annotations.userns=keep-id:uid=1000,gid=1000 kubeconfig.yml which results in tons of errors like this in the container: importas: fatal: unable to exec s6-setuidgid: Permission denied

I also tried some other stuff, like running as root (also breaks stuff completely) or seeing whether 'privileged' mode has any effect.

I know that this image is made for Docker, but I'm thinking that this should theoretically work in Podman as well. Right now I'm trying to run the container via another user (e.g. UID 1001) while another user (e.g. UID 1000) primarily connects to it. I also tried running the container as user ID 1000, but then you still get the random UIDs because of the user mappings.

I have no idea what I can do to fix this. Is what I'm trying to do even possible in Podman? I don't necessarily need a true multi-user setup, but at least the UIDs need to match up to the user on the host system.

Software setup

OS: Debian 13
Kernel: Linux 6.10.3
Podman: 5.0.3

Here is my kube (k8?) config file. I've omitted some irrelevant stuff.

apiVersion: apps/v1
kind: Pod
spec:
    containers:
    - image: docker.io/crazymax/samba:4.19.6
      name: samba
      volumeMounts:
        - name: data
          mountPath: /data
        - name: network-share-myuser
          mountPath: /samba/myuser
      env:
        - name: CONFIG_FILE
          value: "/data/config.yml"
        - name: SAMBA_FOLLOW_SYMLINKS
          value: "1"
        - name: SAMBA_LOG_LEVEL
          value: "3"
        - name: SAMBA_WIDE_LINKS
          value: "1"
        - name: SMB_ENCRYPT
          value: required
      ports:
      - containerPort: 445
        hostPort: 445
        protocol: TCP
      - containerPort: 3702
        hostPort: 3702
        protocol: TCP
      - containerPort: 5355
        hostPort: 5355
        protocol: TCP
      - containerPort: 3702
        hostPort: 3702
        protocol: UDP
      - containerPort: 5355
        hostPort: 5355
        protocol: UDP
    volumes:
    - name: data
      hostPath:
        path: /var/container-data/mycontainer/data
        type: Directory
    - name: network-share-myuser
      hostPath:
        path: /var/container-data/mycontainer/myuser
        type: Directory

And config.yml which is to be used under /data in the container.

auth:
  - user: myuser
    group: myuser
    uid: 1000
    gid: 1000
    password: test

global:
  - "force user = myuser"
  - "force group = myuser"
  - "server min protocol = SMB2"
  - "server max protocol = SMB3_11"

share:
  - name: myuser
    path: /samba/myuser
    browsable: yes
    readonly: no
    guestok: no
    validusers: myuser
    writelist: myuser
    veto: no
    hidefiles: ""
    recycle: no