7:15 a.m.
On 2/9/21 06:04, geert(a)kobaltwit.be wrote:
Hi Roland,
That is exactly my plan. I don't really mind the container user to become root and I
could use "--userns=keep-id" if I want to avoid that.
However that's not the issue I think. Regardless of what option I set the group is
not right inside the container. It's mapped to "nobody" instead of sticking
"share". With group "nobody" the directory is not accessible from
within the host by anyone except "user1" (either mapped to root or just as user1
if I use "--userns=keep-id").
Regards,
Geert
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
If you are using crun as your OCI Runtime, you can set
`--annotation run.oci.keep_original_groups=1` and all groups owned
by the rootless user will be allowed to access content from within the
container.
```
man podman run
...
Note: if the user only has access rights via a group, accessing
the de‐
vice from inside a rootless container will fail. The crun(1)
runtime
offers a workaround for this by adding the option
--annotation
run.oci.keep_original_groups=1.
```