3:34 p.m.
On 4/9/21 10:29, Joe Doss wrote:
On 4/8/21 3:26 AM, Peter Upfold wrote:
> Apologies if it is bad etiquette to "bump" my previous issue on this!
>
> I continue to struggle with the permissions set on the top level
> directory of a volume that is mounted in a rootless container.
>
> My Containerfile:
> https://gist.github.com/PeterUpfold/2f63ad5341ffd9079bc2683a5bb2744c
>
> The top level directory of the volume mount,
> /var/www/html/websites/windows, ends up with root:nobody and 0755
> permissions inside the container.
>
> The suggestion to address this was to add the annotation for
> "keep_original_groups" when creating the container in the pod.
> Creating as follows:
>
> `podman create --name windowsnoob-fpm --annotation
> run.oci.keep_original_groups=1 --pod windowsnoob -v
> /var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw
> windowsnoob-fpm`
>
> still leaves me with root:nobody ownership in the container.
>
--volume mounts are just bind mounts from the host. So they will
maintain the permissions of the source directory. In a rootless
container there is nothing that can be done about this.
The annotation would only work if you setup group ownership on the
directory and then allowed a non root user to have group access.
> The annotation does appear if I `podman inspect` the created
container.
>
> (I'm not actually concerned about group membership here, as the
> directory on the host is owned by the user creating this container --
> it's just that I'd like the ownership of the mounted volume inside
> the container to also be a non-root user; the
> `oci.keep_original_groups` solution did work to achieve this in the
> `podman run` scenario.)
I think you are running into this issue if you are on Podman 3.
https://github.com/containers/podman/issues/9608#issuecomment-805291997
Joe