cancel
Showing results for 
Search instead for 
Did you mean: 
spurs
Flight Engineer
Flight Engineer
  • 1,061 Views

Rootless container ownership

Hello,

Which is the correct way to give permission for the host directory if i want to bind-mounted mapping from /home/user1/mariadb to $PATH(just random stuff)? 

1.chown username /home/user1/mariadb

2.podman unshare ##:## /home/user1/mariadb

I had a lecture and the prof used method 1 for RHCSA8 lecture and used method 2 for RHCSA9 lecture.

+if the port mapping was 8080:8080, should I add TCP 8080 on firewalld as a root?

2 Replies
ipalagin
Flight Engineer Flight Engineer
Flight Engineer
  • 1,046 Views

https://docs.podman.io/en/latest/markdown/podman-unshare.1.html

"podman unshare"  is also useful to use the podman mount command. If an unprivileged user wants to mount and work with a container, then they need to execute podman unshare. Executing podman mount fails for unprivileged users unless the user is running inside a podman unshare session.

But if it's about binding the volume while the container is being created: "podman run ... -v /opt/local:/opt/local:Z", unshare is not required. (":Z" is added for SELinux).

When firewalld is active, remote access to port 8080 needs to be allowed, only root can do that.

dkcbk
Flight Engineer
Flight Engineer
  • 1,022 Views

User id and group id in container are mapped with some user id and group id on host (mapping range is specified in some configuration file). You can see that with command: podman exec -it <your_container> bash
# cat /proc/self/uid_map
27 1234 (container user id/host user id)
# cat /proc/self/gid_map
27 4321 (container group id/host group id)

Which gives you container user and host user.
You have 2 options:
1. podman unshare chown -R container-user-id:container-group-id /some/dir
2. podman chown -R host-user-id:host-group-id /some/dir

Verify it
podman unshare ls -ld /some/dir
-rwxrwxrwx 27 27 ......

podman ls -ld /some/dir
-rwxrwxrwx 1234 4321 ......

Join the discussion
You must log in to join this conversation.