I have a shared directory "test" owned by "share" (and group
"share"). "share" is also a real user id on the host system. All
users that need access to this directory have been made members of the "share"
group. This works fine on the host.
Now I need to set up a rootless container that will run an application requiring read and
write access to that directory as well. That rootless container will be started by several
users on the host (well, on multiple hosts really, but that's not relevant to this
particular issue - I'm currently testing on a single host).
I have tried countless variations but I can't make it work.
My last attempt consists of setting up a container using this Dockerfile (simplified to
only present the essence):
RUN groupadd -g 1000 user1
RUN groupadd -g 1001 shared
RUN useradd -u1000 -g1000 -G1001 user1
RUN useradd -u1001 -g1001 shared
So two users are defined inside the container and their uids and gids match those of the
host. "user1" is also made member of the "shared" group with the
intention to make the shared directory accessible for "user1". That reflects the
permissions as on the host.
Running ls on the directory inside the container results in this output:
$ podman run -it --net=host -v ./test:/home/test:z --userns=host localhost/test-img ls
drwxrwx---. 2 root nobody 4096 Feb 8 18:12 /home/test
Outside of the container this directory has the following ownerships:
$ ls -ld test/
drwxrwx---. 2 user1 share 4096 8 feb 19:12 test/
So some uid and gid remapping is going on and with ownership of root:nobody, my container
user can't access the test directory. I would want the directory to have the same
ownership inside the container, but I don't know how to get there. I thought the
"--userns=host" option was for that purpose. but it still remaps the user and
group for directory test. I have also tried "--userns=keep-id", but that makes
no difference. Note that if I log in to the host as user "share" and run the
container (changing the default container user to "share" as well), the
/home/test directory is accessible inside the container.
How can I prevent podman from remapping the ownership of that mounted volume or if
that's not possible what is the proper way to provide shared access to a mounted
volume to a different user ?
P.S. For completeness, this experiment is with a simple local directory. In the final
setup that "test" directory would have to be replaced with a locally mounted nfs
share. I did somer experiments already and I can access nfs shares, but the same owner and
group remapping prevent me from accessing that nfs share when running the container
rootless from a user that's not the owner of that share. I hope the solution to my
experiment will also fix it for an nfs share.