Wrong permissions on idmapped volumes created before starting the container

[klausenbusk]

Issue Description

This is basically the same issue as #16724:

podman still chowns the volume to the containers uid/gid though which causes the container to not be able to use it

The fix for said issue (#16739), only disable chowing if the volume does not exist, but if the volume is created prior to starting the container (e.g. with podman volume create), the volume is chowned and the permissions are wrong.

Steps to reproduce the issue

Steps to reproduce the issue

1. Run podman volume create test (as root)
2. Run podman run --rm --userns=auto -v test:/mnt:idmap archlinux touch /mnt/123 (as root)

Describe the results you received

The process is unable to create the file, due to wrong permissions.

touch: cannot touch '/mnt/123': Permission denied

Describe the results you expected

The process being able to create the file.

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.5
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.10-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: 2dcd736e46ded79a53339462bc251694b150f870'
  cpuUtilization:
    idlePercent: 89.4
    systemPercent: 2.37
    userPercent: 8.23
  cpus: 8
  databaseBackend: boltdb
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 2043
  hostname: foo
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.5.7-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 1835806720
  memTotal: 16627499008
  networkBackend: cni
  networkBackendInfo:
    backend: cni
    dns: {}
    package: /usr/lib/cni/ is owned by cni-plugins 1.4.0-1
    path: /usr/lib/cni
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.14.1-1
    path: /usr/bin/crun
    version: |-
      crun version 1.14.1
      commit: de537a7965bfbe9992e2cfae0baeb56a08128171
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.3-1
    version: |-
      slirp4netns version 1.2.3
      commit: c22fde291bb35b354e6ca44d13be181c76a0a432
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 3619942400
  swapTotal: 4294963200
  uptime: 32h 3m 18.00s (Approximately 1.33 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 157393113088
  graphRootUsed: 148254687232
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.9.2
  Built: 1706977846
  BuiltTime: Sat Feb  3 17:30:46 2024
  GitCommit: f9a48ebcfa9a39144be0f86f4ba842752835f945-dirty
  GoVersion: go1.21.6
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.2

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

N/A

Additional information

I noticed this while trying to use the "new" :idmap option (as described in #16250) with gitlab-runner, which creates the volumes first and then uses them.

[giuseppe]

opened a PR: #21611

[klausenbusk]

@giuseppe I just noticed this is still broken if the container-dir does not exist:

$ podman version
Client:       Podman Engine
Version:      5.0.0
API Version:  5.0.0
Go Version:   go1.22.1
Git Commit:   e71ec6f1d94d2d97fb3afe08aae0d8adaf8bddf0-dirty
Built:        Thu Mar 21 23:30:17 2024
OS/Arch:      linux/amd64

$ sudo podman volume create test
test
$ sudo podman run --rm --userns=auto -v test:/test:idmap archlinux touch /test/123
touch: cannot touch '/test/123': Permission denied

Can we reopen this issue or do you want a new issue? :)

[giuseppe]

@giuseppe I just noticed this is still broken if the container-dir does not exist:

$ podman version
Client:       Podman Engine
Version:      5.0.0
API Version:  5.0.0
Go Version:   go1.22.1
Git Commit:   e71ec6f1d94d2d97fb3afe08aae0d8adaf8bddf0-dirty
Built:        Thu Mar 21 23:30:17 2024
OS/Arch:      linux/amd64

$ sudo podman volume create test
test
$ sudo podman run --rm --userns=auto -v test:/test:idmap archlinux touch /test/123
touch: cannot touch '/test/123': Permission denied

Can we reopen this issue or do you want a new issue? :)

please open a new one