Solved: Issues with sharing persistent storage with a cont...

74razor · ‎01-20-2022

I'm creating some containers using podman just to get familiar with the concept. I ran across this issue, first, I ran this command: podman run -dt --name rhel8-storage -p 10000:443 -e KERN=$(uname -r) -e SHELL -v /hostdata:/containerdata:Z ubi8 (I got this from a lab.)

So I have the container running and can access it with: podman exec -it rhel8-storage bash

However, I can't access /containerdata. No matter what I do, I get permission denied.

[root@a8fad04d55a2 /]# ls -lh /
total 0
lrwxrwxrwx. 1 root root 7 Jun 21 2021 bin -> usr/bin
dr-xr-xr-x. 2 root root 6 Jun 21 2021 boot
drwxrwxrwx. 2 nobody nobody 22 Jan 20 19:23 containerdata

My goal is to share data with the host and the container. I have a document in /hostdata but can't view or create files in the /containerdata folder to verify.

Any help would be appreciated.

JustinP · ‎01-24-2022

Ah, OK.

I don't have Ghori's book but do have Sander's, and Sander says several things need to line up for mounting to work:

1. user on host must own files to be mounted

2. user launching the pod must own those host files

3. SELinux enforcing needs either :Z option or label the dir manually (container_file_t)

1.a. write permission isn't enough for the mounting to work; ownership is required

If Ghori's example says the host dir should be /hostdata01 or anything under /, that means root owns those files, so that's probably the problem. ... but I'm not so convinced that Sanders is completely right either ...

In the DO180 class, we used another command that neither Ghori's example nor Sander's mount uses: podman unshare. The manpage for podman-unshare is pretty clear that it's needed:

"If an unprivileged user wants to mount and work with a container, then they need to execute podman unshare"

For Ghori, try:

$ podman unshare chown -R 0:0 /hostdir01

I'm assuming UID 0 b/c the UIB8 image drops me into a bash prompt that is root@ when I login to the container tty.

--
Sr. Solution Architect

View solution in original post

JustinP · ‎01-22-2022

Well, for starters that image does not have a /containerdata directory.

~]$ podman run -ti ubi8 ls -l

That ^ directory output doesn't list /containerdata under root

Where did this lab come from?

The UBI8 image doesn't need a lot of those parameters (like -p port mapping, -e ENV variables, etc. ... an HTTPD image could use the port mapping) but ignoring that, a simple mount test does work against that UBI8 image:

~]$ mkdir -p $HOME/hostdata

~]$ echo 'hello world' > $HOME/hostdata/test

~]$ podman run -dt --name blah -v $HOME/hostdata:/home:Z ubi8

~]$ podman exec -ti blah cat /home/test

hello world

The container's home directory did mount my local host's test file, so the file contents can be displayed.

BTW: The DO180 class covers this kind of setup.

--
Sr. Solution Architect

74razor · ‎01-23-2022

This is from Exam #3 in Asghar Ghori's certifiation guide. Create a container andmap /host_data01 to /container_data01. I obviously used different directory names, but otherwise followed the directions. My output shows the directory had been created. It just seems that the directory on the conatiner is owned by nobody:nobody and I can't 'cd' to it or 'ls -lh' th edirectory. I keep getting permission denied.

JustinP · ‎01-24-2022

Ah, OK.

I don't have Ghori's book but do have Sander's, and Sander says several things need to line up for mounting to work:

1. user on host must own files to be mounted

2. user launching the pod must own those host files

3. SELinux enforcing needs either :Z option or label the dir manually (container_file_t)

1.a. write permission isn't enough for the mounting to work; ownership is required

If Ghori's example says the host dir should be /hostdata01 or anything under /, that means root owns those files, so that's probably the problem. ... but I'm not so convinced that Sanders is completely right either ...

In the DO180 class, we used another command that neither Ghori's example nor Sander's mount uses: podman unshare. The manpage for podman-unshare is pretty clear that it's needed:

"If an unprivileged user wants to mount and work with a container, then they need to execute podman unshare"

For Ghori, try:

$ podman unshare chown -R 0:0 /hostdir01

I'm assuming UID 0 b/c the UIB8 image drops me into a bash prompt that is root@ when I login to the container tty.

--
Sr. Solution Architect

74razor · ‎01-28-2022

Hey @JustinP , thanks for the information and apologies for the late reply. Ok, so before creating the container, I used root to create the /hostdata directory and then did a 'chown user1:user1 /hostdata'. I did that and then setup the container as I said above and it works. I can create files and see them from the host to the container and vice versa. I am not seeing that step in my guide, so I guess this tells me I should be using more than one reference guide when studying.

I'll try the 'podman unshare' command too, but for now, I'll accept yours as the solution since it helped me out. Thank you again for your time and explanation.

Issues with sharing persistent storage with a container using Podman

RHEL