3:03 a.m.
Hello,
I'm struggling a little with the permissions set on the top level
directory of a volume that is mounted in a rootless container.
My Containerfile:
https://gist.github.com/PeterUpfold/2f63ad5341ffd9079bc2683a5bb2744c
The top level directory of the volume mount,
/var/www/html/websites/windows, ends up with root:nobody and 0755
permissions inside the container.
I've seen similar issues on this list: Daniel Walsh's suggestion of
`--annotation run.oci.keep_original_groups=1` seems to work beautifully
to change the ownership of the volume folder in the container to be
windowsnoob:windowsnoob, as I would want it, _if_ I'm doing `podman run`.
However, I'm trying to create a pod as follows. Is it possible to have
this permissions configuration work in this scenario?
podman pod create -n windowsnoob -p 8081
podman build -t windowsnoob-fpm .
podman create --name windowsnoob-fpm --pod windowsnoob -v
/var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw
windowsnoob-fpm
podman pod start windowsnoob
At the moment, doing this and checking the permissions on the
/var/www/html/websites/windows volume in the created container (via
`podman exec -it [container] bash`) still shows the following:
drwxr-xr-x. 2 root nobody 28 Feb 14 09:45 windows
(Note that I can write to a subfolder already owned by
windowsnoob:windowsnoob _inside_ the volume just fine — I don't believe
this is an SELinux issue, or a permissions issue on anywhere except the
top level of the volume mount!)
Thank you for any insight you might be able to provide!
Peter Upfold
7:51 a.m.
New subject: Permissions on top level of mounted volume in rootless container
On 2/18/21 03:03, Peter Upfold wrote:
Hello,
I'm struggling a little with the permissions set on the top level
directory of a volume that is mounted in a rootless container.
My Containerfile:
https://gist.github.com/PeterUpfold/2f63ad5341ffd9079bc2683a5bb2744c
The top level directory of the volume mount,
/var/www/html/websites/windows, ends up with root:nobody and 0755
permissions inside the container.
I've seen similar issues on this list: Daniel Walsh's suggestion of
`--annotation run.oci.keep_original_groups=1` seems to work
beautifully to change the ownership of the volume folder in the
container to be windowsnoob:windowsnoob, as I would want it, _if_ I'm
doing `podman run`.
Note the annotation does not change the ownership of the folder, it just
allows the group access for your non root process to leak into the
container. Allowing you to have group access to the volume.
However, I'm trying to create a pod as follows. Is it possible to
have
this permissions configuration work in this scenario?
podman pod create -n windowsnoob -p 8081
podman build -t windowsnoob-fpm .
podman create --name windowsnoob-fpm --pod windowsnoob -v
/var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw
windowsnoob-fpm
podman pod start windowsnoob
At the moment, doing this and checking the permissions on the
/var/www/html/websites/windows volume in the created container (via
`podman exec -it [container] bash`) still shows the following:
drwxr-xr-x. 2 root nobody 28 Feb 14 09:45 windows
This should be the same, but the container you create within the pod
will need the annotation.
(Note that I can write to a subfolder already owned by
windowsnoob:windowsnoob _inside_ the volume just fine — I don't
believe this is an SELinux issue, or a permissions issue on anywhere
except the top level of the volume mount!)
Thank you for any insight you might be able to provide!
Peter Upfold
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
4:07 a.m.
New subject: Permissions on top level of mounted volume in rootless container
On 18/02/2021 12:51, Daniel Walsh wrote:
This should be the same, but the container you create within the pod
will need the annotation.
_______________________________________________
Thank you for your reply.
I don't seem to have had any luck with this. Creating as follows:
`podman create --name windowsnoob-fpm --annotation
run.oci.keep_original_groups=1 --pod windowsnoob -v
/var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw
windowsnoob-fpm`
still leaves me with root:nobody ownership in the container.
The annotation does appear if I `podman inspect` the created container.
(I'm less concerned about group membership here, as the directory on the
host is owned by the user creating this container -- it's just that I'd
like the ownership of the mounted volume inside the container to also be
a non-root user; the `oci.keep_original_groups` solution did work to
achieve this in the `podman run` scenario.)
Peter Upfold
10:15 a.m.
New subject: Permissions on top level of mounted volume in rootless container
On 2/19/21 04:07, Peter Upfold wrote:
On 18/02/2021 12:51, Daniel Walsh wrote:
> This should be the same, but the container you create within the pod
> will need the annotation.
> _______________________________________________
>
Thank you for your reply.
I don't seem to have had any luck with this. Creating as follows:
`podman create --name windowsnoob-fpm --annotation
run.oci.keep_original_groups=1 --pod windowsnoob -v
/var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw
windowsnoob-fpm`
still leaves me with root:nobody ownership in the container.
The annotation does appear if I `podman inspect` the created container.
(I'm less concerned about group membership here, as the directory on
the host is owned by the user creating this container -- it's just
that I'd like the ownership of the mounted volume inside the container
to also be a non-root user; the `oci.keep_original_groups` solution
did work to achieve this in the `podman run` scenario.)
Peter Upfold
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
If you are running as root within the user, you need to figure out what
is the UID of user within the container and chown the file to this.
podman unshare chown UID:GID /PATH
Should fix the ownerships to work the way you want.
A contributor is working on making this happen with the :U option.
4:26 a.m.
New subject: Permissions on top level of mounted volume in rootless container
Apologies if it is bad etiquette to "bump" my previous issue on this!
I continue to struggle with the permissions set on the top level
directory of a volume that is mounted in a rootless container.
My Containerfile:
https://gist.github.com/PeterUpfold/2f63ad5341ffd9079bc2683a5bb2744c
The top level directory of the volume mount,
/var/www/html/websites/windows, ends up with root:nobody and 0755
permissions inside the container.
The suggestion to address this was to add the annotation for
"keep_original_groups" when creating the container in the pod. Creating
as follows:
`podman create --name windowsnoob-fpm --annotation
run.oci.keep_original_groups=1 --pod windowsnoob -v
/var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw
windowsnoob-fpm`
still leaves me with root:nobody ownership in the container.
The annotation does appear if I `podman inspect` the created container.
(I'm not actually concerned about group membership here, as the
directory on the host is owned by the user creating this container --
it's just that I'd like the ownership of the mounted volume inside the
container to also be a non-root user; the `oci.keep_original_groups`
solution did work to achieve this in the `podman run` scenario.)
Peter Upfold
10:29 a.m.
New subject: Permissions on top level of mounted volume in rootless container
On 4/8/21 3:26 AM, Peter Upfold wrote:
Apologies if it is bad etiquette to "bump" my previous
issue on this!
I continue to struggle with the permissions set on the top level
directory of a volume that is mounted in a rootless container.
My Containerfile:
https://gist.github.com/PeterUpfold/2f63ad5341ffd9079bc2683a5bb2744c
The top level directory of the volume mount,
/var/www/html/websites/windows, ends up with root:nobody and 0755
permissions inside the container.
The suggestion to address this was to add the annotation for
"keep_original_groups" when creating the container in the pod. Creating
as follows:
`podman create --name windowsnoob-fpm --annotation
run.oci.keep_original_groups=1 --pod windowsnoob -v
/var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw
windowsnoob-fpm`
still leaves me with root:nobody ownership in the container.
The annotation does appear if I `podman inspect` the created container.
(I'm not actually concerned about group membership here, as the
directory on the host is owned by the user creating this container --
it's just that I'd like the ownership of the mounted volume inside the
container to also be a non-root user; the `oci.keep_original_groups`
solution did work to achieve this in the `podman run` scenario.)
I think you are running into this issue if you are on Podman 3.
https://github.com/containers/podman/issues/9608#issuecomment-805291997
Joe
--
Joe Doss
joe(a)solidadmin.com
3:34 p.m.
New subject: Permissions on top level of mounted volume in rootless container
On 4/9/21 10:29, Joe Doss wrote:
On 4/8/21 3:26 AM, Peter Upfold wrote:
> Apologies if it is bad etiquette to "bump" my previous issue on this!
>
> I continue to struggle with the permissions set on the top level
> directory of a volume that is mounted in a rootless container.
>
> My Containerfile:
> https://gist.github.com/PeterUpfold/2f63ad5341ffd9079bc2683a5bb2744c
>
> The top level directory of the volume mount,
> /var/www/html/websites/windows, ends up with root:nobody and 0755
> permissions inside the container.
>
> The suggestion to address this was to add the annotation for
> "keep_original_groups" when creating the container in the pod.
> Creating as follows:
>
> `podman create --name windowsnoob-fpm --annotation
> run.oci.keep_original_groups=1 --pod windowsnoob -v
> /var/www/html/websites/windows:/var/www/html/websites/windows:Z,noexec,nodev,rw
> windowsnoob-fpm`
>
> still leaves me with root:nobody ownership in the container.
>
--volume mounts are just bind mounts from the host. So they will
maintain the permissions of the source directory. In a rootless
container there is nothing that can be done about this.
The annotation would only work if you setup group ownership on the
directory and then allowed a non root user to have group access.
> The annotation does appear if I `podman inspect` the created
container.
>
> (I'm not actually concerned about group membership here, as the
> directory on the host is owned by the user creating this container --
> it's just that I'd like the ownership of the mounted volume inside
> the container to also be a non-root user; the
> `oci.keep_original_groups` solution did work to achieve this in the
> `podman run` scenario.)
I think you are running into this issue if you are on Podman 3.
https://github.com/containers/podman/issues/9608#issuecomment-805291997
Joe
1321
days inactive
1374
days old
6 comments
3 participants
participants (3)
-
Daniel Walsh -
Joe Doss -
Peter Upfold