Rootless container ownership

spurs · ‎07-19-2023

Hello,

Which is the correct way to give permission for the host directory if i want to bind-mounted mapping from /home/user1/mariadb to $PATH(just random stuff)?

1.chown username /home/user1/mariadb

2.podman unshare ##:## /home/user1/mariadb

I had a lecture and the prof used method 1 for RHCSA8 lecture and used method 2 for RHCSA9 lecture.

+if the port mapping was 8080:8080, should I add TCP 8080 on firewalld as a root?

ipalagin · ‎07-19-2023

https://docs.podman.io/en/latest/markdown/podman-unshare.1.html

"podman unshare" is also useful to use the podman mount command. If an unprivileged user wants to mount and work with a container, then they need to execute podman unshare. Executing podman mount fails for unprivileged users unless the user is running inside a podman unshare session.

But if it's about binding the volume while the container is being created: "podman run ... -v /opt/local:/opt/local:Z", unshare is not required. (":Z" is added for SELinux).

When firewalld is active, remote access to port 8080 needs to be allowed, only root can do that.

dkcbk · ‎07-19-2023

User id and group id in container are mapped with some user id and group id on host (mapping range is specified in some configuration file). You can see that with command: podman exec -it <your_container> bash
# cat /proc/self/uid_map
27 1234 (container user id/host user id)
# cat /proc/self/gid_map
27 4321 (container group id/host group id)

Which gives you container user and host user.
You have 2 options:
1. podman unshare chown -R container-user-id:container-group-id /some/dir
2. podman chown -R host-user-id:host-group-id /some/dir

Verify it
podman unshare ls -ld /some/dir
-rwxrwxrwx 27 27 ......

podman ls -ld /some/dir
-rwxrwxrwx 1234 4321 ......