'partial' directory ownership and permissions

[rstreif]

Issue Description

I am running podman as a regular user (rootless) explicitly setting the root directory to a particular location. When podman creates the images the 'partial' folders always seem to be having a random user id as owner but the user's group id:

$ ls -l containers/root/overlay/8b845b0d3b07a3aa40e875124add71a06ff27637e29805aee92841df571e6c8d/diff/var/cache/apt/archives/ total 4 -rw-r-----. 1 rstreif rstreif 0 May 23 11:01 lock drwx------. 2 100041 rstreif 4096 May 23 11:01 partial

Due to the ownership and permission settings the user cannot read/write the partial directory. The only workaround is to change ownership as root. However, that is not practical in an automated build environment.

Steps to reproduce the issue

Steps to reproduce the issue

1. Run podman as user setting --root to a directory
2. Use a Docker file pulling an image e.g. Debian and install a couple of packages
3. Attempt to delete the directory --root is pointing to

Describe the results you received

'partial' directory is owned by a non-existing user with the user id 100041. All other directories are correctly owned by the user running podman.

Describe the results you expected

The 'partial' directory should also be owned by the user running podman.

podman info output

host:
  arch: amd64
  buildahVersion: 1.36.0-dev
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.fc38.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 98.04
    systemPercent: 0.44
    userPercent: 1.52
  cpus: 128
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: workstation
    version: "38"
  eventLogger: journald
  freeLocks: 2048
  hostname: threaddy
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.7.11-100.fc38.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 77920219136
  memTotal: 134918377472
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.10.0-1.fc38.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: netavark-1.10.3-1.fc38.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.14.4-1.fc38.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.4
      commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240220.g1e6f92b-1.fc38.x86_64
    version: |
      pasta 0^20240220.g1e6f92b-1.fc38.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc38.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 12884893696
  swapTotal: 12884893696
  uptime: 7h 29m 59.00s (Approximately 0.29 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/rstreif/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/rstreif/.local/share/containers/storage
  graphRootAllocated: 1887956455424
  graphRootUsed: 1436823498752
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 3
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/rstreif/.local/share/containers/storage/volumes
version:
  APIVersion: 5.1.0-dev
  Built: 1712609031
  BuiltTime: Mon Apr  8 13:43:51 2024
  GitCommit: 6487940534c1065d6c7753e3b6dfbe253666537d
  GoVersion: go1.21.8
  Os: linux
  OsArch: linux/amd64
  Version: 5.1.0-dev

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

This is the expected behavior, podman uses the extra configured uids/gids from /etc/sub{u,g}id. As most container images contain more than one uid we have to write different uids to the storage.

If you want to chown/delete files you must use podman unshare to enter the userns first so you gain access to all the uids/gids.