74razor
Flight Engineer
Flight Engineer
  • 2,782 Views

Issues with sharing persistent storage with a container using Podman

Jump to solution

I'm creating some containers using podman just to get familiar with the concept. I ran across this issue, first, I ran this command: podman run -dt --name rhel8-storage -p 10000:443 -e KERN=$(uname -r) -e SHELL -v /hostdata:/containerdata:Z ubi8 (I got this from a lab.)

So I have the container running and can access it with: podman exec -it rhel8-storage bash

However, I can't access /containerdata. No matter what I do, I get permission denied. 

[root@a8fad04d55a2 /]# ls -lh /
total 0
lrwxrwxrwx. 1 root root 7 Jun 21 2021 bin -> usr/bin
dr-xr-xr-x. 2 root root 6 Jun 21 2021 boot
drwxrwxrwx. 2 nobody nobody 22 Jan 20 19:23 containerdata

My goal is to share data with the host and the container. I have a document in /hostdata but can't view or create files in the /containerdata folder to verify.

Any help would be appreciated. 

Labels (1)
1 Solution

Accepted Solutions
JustinP
Flight Engineer
Flight Engineer
  • 2,716 Views

Ah, OK.

I don't have Ghori's book but do have Sander's, and Sander says several things need to line up for mounting to work:

1. user on host must own files to be mounted

2. user launching the pod must own those host files

3. SELinux enforcing needs either :Z option or label the dir manually (container_file_t)

1.a. write permission isn't enough for the mounting to work; ownership is required

If Ghori's example says the host dir should be /hostdata01 or anything under /, that means root owns those files, so that's probably the problem. ... but I'm not so convinced that Sanders is completely right either ...

In the DO180 class, we used another command that neither Ghori's example nor Sander's mount uses: podman unshare.  The manpage for podman-unshare is pretty clear that it's needed:

"If an unprivileged user wants to mount and work with a container, then they need to execute podman unshare"

For Ghori, try:

$ podman unshare chown -R 0:0 /hostdir01

 

I'm assuming UID 0 b/c the UIB8 image drops me into a bash prompt that is root@ when I login to the container tty.

--
Sr. Solution Architect

View solution in original post

4 Replies
JustinP
Flight Engineer
Flight Engineer
  • 2,758 Views

Well, for starters that image does not have a /containerdata directory.

~]$ podman run -ti ubi8 ls -l

That ^ directory output doesn't list /containerdata under root

Where did this lab come from?

The UBI8 image doesn't need a lot of those parameters (like -p port mapping, -e ENV variables, etc. ... an HTTPD image could use the port mapping) but ignoring that, a simple mount test does work against that UBI8 image:

~]$ mkdir -p $HOME/hostdata

~]$ echo 'hello world' > $HOME/hostdata/test

~]$ podman run -dt --name blah -v $HOME/hostdata:/home:Z ubi8

~]$ podman exec -ti blah cat /home/test

hello world

 

The container's home directory did mount my local host's test file, so the file contents can be displayed.

BTW: The DO180 class covers this kind of setup.

--
Sr. Solution Architect
0 Kudos
74razor
Flight Engineer
Flight Engineer
  • 2,743 Views

This is from Exam #3 in Asghar Ghori's certifiation guide. Create a container andmap /host_data01 to /container_data01. I obviously used different directory names, but otherwise followed the directions. My output shows the directory had been created. It just seems that the directory on the conatiner is owned by nobody:nobody and I can't 'cd' to it or 'ls -lh' th edirectory. I keep getting permission denied.

0 Kudos
JustinP
Flight Engineer
Flight Engineer
  • 2,717 Views

Ah, OK.

I don't have Ghori's book but do have Sander's, and Sander says several things need to line up for mounting to work:

1. user on host must own files to be mounted

2. user launching the pod must own those host files

3. SELinux enforcing needs either :Z option or label the dir manually (container_file_t)

1.a. write permission isn't enough for the mounting to work; ownership is required

If Ghori's example says the host dir should be /hostdata01 or anything under /, that means root owns those files, so that's probably the problem. ... but I'm not so convinced that Sanders is completely right either ...

In the DO180 class, we used another command that neither Ghori's example nor Sander's mount uses: podman unshare.  The manpage for podman-unshare is pretty clear that it's needed:

"If an unprivileged user wants to mount and work with a container, then they need to execute podman unshare"

For Ghori, try:

$ podman unshare chown -R 0:0 /hostdir01

 

I'm assuming UID 0 b/c the UIB8 image drops me into a bash prompt that is root@ when I login to the container tty.

--
Sr. Solution Architect
74razor
Flight Engineer
Flight Engineer
  • 2,608 Views

Hey @JustinP , thanks for the information and apologies for the late reply. Ok, so before creating the container, I used root to create the /hostdata directory and then did a 'chown user1:user1 /hostdata'. I did that and then setup the container as I said above and it works. I can create files and see them from the host to the container and vice versa. I am not seeing that step in my guide, so I guess this tells me I should be using more than one reference guide when studying.

I'll try the 'podman unshare' command too, but for now, I'll accept yours as the solution since it helped me out. Thank you again for your time and explanation.

0 Kudos
Join the discussion
You must log in to join this conversation.