11:03 a.m.
On 2019-06-17 16:33, Eric Gustavsson wrote:
Thanks Matt, that was it! It spins up now
What's the recommended way of doing this with SELinux enabled in the
container?
Since the alpine image doesn't seem create a home directory for the user.
Depends on your exact use case.
If you just need the content in the container, not on the host, you
could use a named volume there (`podman volume create` and mount in by
name instead of path).
If you need the content on the host, but you don't mind destructively
relabelling it, append `:Z` to the mount (or `:z` if it needs to be
accessed from multiple containers). This does an SELinux relabel of
the host directory so Podman containers can access it. Not a good
thing to do to your entire homedir, but fine if it's just a directory
you don't anticipate using for much except the Podman container.
If neither of those fit, you're back to `label=disable` - we need to
retain normal SELinux labelling and don't have permissions to access
with the container. Fortunately, as a rootless container, you're
already very locked down, so missing SELinux isn't as big of a deal as
it is with root.
Thanks,
Matt Heon
On Mon, 17 Jun 2019 at 16:25, Matt Heon <mheon(a)redhat.com> wrote:
> On 2019-06-17 16:22, Eric Gustavsson wrote:
> >Thanks for the quick responses!
> >
> >I tried running without --user, got the same error with permission denied
> >to touch the data/ directory
> >$ podman run -d --name bitwarden -e ROCKET_PORT=8080 -v
> >/home/spytec/Bitwarden/bw-data/:/data/ -p 8080:8080
> >bitwardenrs/server:latest
> >
> >With the --userns=keep-id I do get the 1000:1000 on the folder and the
> >container runs as it, but also there I get permission denied.
> >$ podman run -d --userns=keep-id --name bitwarden -e ROCKET_PORT=8080 -v
> >/home/spytec/Bitwarden/bw-data/:/data/ -p 8080:8080
> >bitwardenrs/server:latest
> >
> >If I tried this to see it inside the container:
> >$ podman run -ti --name bitwarden --rm --userns=keep-id -e
> >[ROCKET_PORT=8080,ENABLE_DB_WAL=false] -v
> >/home/spytec/Bitwarden/bw-data/:/data/ -p 8080:8080
> >bitwardenrs/server:latest /bin/bash
> >1000@7253b86a0681:/$ touch /data/test
> >touch: cannot touch '/data/test': Permission denied
> >1000@7253b86a0681:/$ ls -l | grep data
> >drwxrwxrwx. 2 1000 1000 4096 Jun 13 16:57 data
> >
> >Thanks,
> >
> >Eric Gustavsson
> >
> >Associate Software Engineer
> >
> >Red Hat <https://www.redhat.com>
> ><https://www.redhat.com>
> >
>
> Sounds like SELinux.
>
> Try running the container with `--security-opt label=disable` - that
> should let you access the folder on the host without issue.
>
> Thanks,
> Matt Heon
>
> >
> >On Mon, 17 Jun 2019 at 16:12, James Cassell <fedoraproject(a)cyberpear.com>
> >wrote:
> >
> >> On Mon, Jun 17, 2019, at 9:53 AM, Eric Gustavsson wrote:
> >> > Hi all,
> >> >
> >> > I got a bit on an issue trying to spin up a container with a volume
> >> > mounted to the container's /data directory. Got a related issue
here
> >> > but I believe I'm just missing out on something Podman specific
> >> > https://github.com/dani-garcia/bitwarden_rs/issues/506
> >> >
> >> > When I run this command and mount /bw-data to container's /data
the
> >> > bitwardenrs image can't write to it.
> >> > podman run -d --user 1001 --name bitwarden -e
> >> > [ROCKET_PORT=8080,ENABLE_DB_WAL=false] -v
> >> > /home/spytec/Bitwarden/bw-data/:/data/ -p 8080:8080
> >> > bitwardenrs/server:latest
> >> >
> >> > Inside the container the /data directory is assigned to root, outside
> >> > the container /bw-data has 0777 permissions and belong to myself (user
> >> > 1001).
> >> >
> >> > Am I missing something?
> >>
> >> With rootless containers, the root uid inside the container is the
> regular
> >> uid outside of the container. Use `--userns=keep-uid` to see your user
> >> mapped as the same uid inside and out.
> >>
> >> V/r,
> >> James Cassell
> >> _______________________________________________
> >> Podman mailing list -- podman(a)lists.podman.io
> >> To unsubscribe send an email to podman-leave(a)lists.podman.io
> >>
>
> >_______________________________________________
> >Podman mailing list -- podman(a)lists.podman.io
> >To unsubscribe send an email to podman-leave(a)lists.podman.io
>
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io