That's a weird one. I was going to suggest using the -Z option on externally mounted volumes, but it sounds like you tried the ephemeral storage as well. 

I'm wondering if this app runs at all, even outside of the container? Could it b something whacky with the Python interpretor and/or kernel interaction?

It doesn't "sound" like podman, but it's tonight to call for sure unless we find a root cause.

Could you try running it on the exact same system, but as a regular process?

Best Regards
Scott M

On Fri, Jul 30, 2021, 12:42 PM Josh Berkus <jberkus@redhat.com> wrote:
All,

I'm porting a legacy app to containers, and having an issue where
apparently it can't write files while running in podman.

Is there any reason why a python process, or child process, running as
container-root would be unable to write to either the ephemeral
filesystem of the container, or to mounted volumes?

Basically, here's the situation:

- pyhton app with many child processes
- all of them run as container-root
- app is supposed to write logs to files (yes, I know)
- app does not write any logs to any files; in fact, the log-dir
initialization appears to fail (no error messages, though, because it's
not logging)
- one other process which is supposed to write cache to a dir does not do so
- all of these directories are under /app/ a directory COPYd into the
image definition, not /var/ or home
- have tried both with these dirs as local to the container, and as
mounted volumes on the host system
- if I exec in to the container as container-root, I can write files to
those dirs
- SELinux denial log on the host does not show any denials

It is entirely possible that this is a problem with the legacy app and
is not a podman thing at all.  I'm asking here because I want to
eliminate podman as a potential cause of the problem.

--
-- Josh Berkus
    Kubernetes Community Architect
    OSPO, OCTO
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io