New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman run is not honoring --userns=keep-id --user=1000:1000 settings while creating volumes #16741
Comments
What is the UID of the user running podman - is it 1000? Is the attempt here to have the volume owned by UID 1000 in the container, which is mapped to UID 1000 on the host? If so, |
Yea I was trying to achieve that. My UID (user running podman) is But I don't get it this: With Without If I create volume manually with |
The 1000:1000 mapping to 100999 is definitely a bug in how we are calculating UID 1000 within the container. |
Also with pods apiVersion: v1
kind: Pod
metadata:
labels:
app: syncthing-pod
name: syncthing-pod
spec:
containers:
- image: docker.io/syncthing/syncthing:latest
name: syncthing
hostUsers: false
securityContext:
runAsGroup: 1000
runAsUser: 1000
volumeMounts:
- mountPath: /var/syncthing
name: syncthing_data-pvc
restartPolicy: Never
volumes:
- name: syncthing_data-pvc
persistentVolumeClaim:
claimName: syncthing_data-test ❯ podman kube play syncthing-pod-test.yaml
Pod:
f14bbab18068b0ca1c7267f8886e7f06a912594f93fad851ae09a410161b132f
Container:
eaf706dfa9f0f7b5a97e32f8c648af919b18b3c4504aef53fff58fac3b8765c6
❯ exa --long --octal-permissions --numeric /var/home/queeup/.local/share/containers/storage/volumes/
0700 drwx------@ - 1000 7 Dec 00:46 syncthing_data-test
❯ exa --long --octal-permissions --numeric /var/home/queeup/.local/share/containers/storage/volumes/syncthing_data-test/
0755 drwxr-xr-x@ - 100999 7 Dec 00:46 _data With "--userns=keep-id": ❯podman kube play --userns keep-id syncthing-pod-test.yaml
Pod:
51e61e09770df91283e529a44802cf3cbce0288f30203d2352244bd3963502b9
Container:
858cdd18f0972a8f743cd2e6866a47e4dc47512c0d9c21e31f8c36652ceeaf7f
❯ exa --long --octal-permissions --numeric /var/home/queeup/.local/share/containers/storage/volumes/
0700 drwx------@ - 100000 7 Dec 00:48 syncthing_data-test
❯ exa --long --octal-permissions --numeric /var/home/queeup/.local/share/containers/storage/volumes/syncthing_data-test/
"/var/home/queeup/.local/share/containers/storage/volumes/syncthing_data-test/": Permission denied (os error 13)
❯ sudo exa --long --octal-permissions --numeric /var/home/queeup/.local/share/containers/storage/volumes/syncthing_data-test
0755 drwxr-xr-x@ - 1000 7 Dec 00:48 _data |
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
A friendly reminder that this issue had no activity for 30 days. |
I may also be experiencing an issue related to this; I am unable to start pods or containers with Here is a debug log creating and starting a pod with no maps: https://pastebin.com/NgNs2tLk Here is a debug log attempting to create and start a pod with a map (intentionally) overlapping an existing user: https://pastebin.com/eSDxz514 In my case, I want some of the programs running in the pod to run as the host system user:group 516000013:516000012. Edit: Additional info if it is relevant:
|
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
A friendly reminder that this issue had no activity for 30 days. |
@giuseppe PTAL |
@rhatdan I'd expect your open PR to fix this issue. The cause of the issue is that we chown the volume to the root user in the user namespace, that in the case of
|
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
A friendly reminder that this issue had no activity for 30 days. |
When running containers with podman run --userns=keep-id --userns $UID:$GID -v test:/tmp/test ... The volumes directory ends up being owned by root within the user namespace, which is not root of the general namespace nor the users uid. If we just allow podman to create these directories with the same UID that is running podman, IE don't chown, they end up with the correct UID in all cases. The actual volume will be chowned to the UID of the container. Fixes: containers#16741 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Any update on this? I'm having the same issue on Fedora Silverblue. It keeps using the wrong ID. |
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
With below command I expect to have user:1000 created volumes but instead I am having user:100000
Steps to reproduce the issue:
syncthing_data-test
volume created bypodman run
command.
Describe the results you received:
podman run
command is creating volume owned by user 100000 if I use these--userns=keep-id --user=1000:1000
optionsDescribe the results you expected:
I expected volumes are created and owned by user 1000 podman volumes while using
--userns=keep-id --user=1000:1000
options.Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version
:Output of
podman info
:Package info (e.g. output of
rpm -q podman
orapt list podman
orbrew info podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
No
Additional environment details (AWS, VirtualBox, physical, etc.):
The text was updated successfully, but these errors were encountered: