Podman rootless container: Accessing external volumes is cumbersome
I want to access directories on the host system from inside a rootless podman container.
When using external volumes with podman rootless containers, the user who accesses the external volumes has a subuid and subgid of the user who invoked podman. Which user id depends on the sub-id range of the invoking user and the internal user in the OCI container. The only way I found to give this sub-user access to external volumes (besides just making the folder writable by everyone on the host system) is to chown
the directory directly to that sub-user id. Is there a better way to do this which does not involve me manually checking /etc/subgid
and also the user in the conainer?
Solution 1:
Alternative 1
Podman 3.1.0 (released in March 2021) introduced the new suffix :U
to the --volume
command-line option.
Quote from the man page:
The :U suffix tells Podman to use the correct host UID and GID based on the UID and GID within the container, to change recursively the owner and group of the source volume.
Alternative 2 (recommended)
Instead of changing the ownership you might be able to map the container UID to the host UID that currently owns the files in the volume. The command-line options for that are --uidmap
and --gidmap
:
The --uidmap
option provides a way for the user to map container UIDs to host UIDs.
Container UIDs are though not directly mapped to host UIDs. Instead the mapping happens over two mapping steps:
container UID -> intermediate UID -> host UID
The first mapping step can be configured with --uidmap. The amount specifies the number of consecutive UIDs that will be mapped.
If for example amount is 4 the first mapping step would look like:
container UID | intermediate UID |
---|---|
container_uid | intermediate_uid |
container_uid + 1 | intermediate_uid + 1 |
container_uid + 2 | intermediate_uid + 2 |
container_uid + 3 | intermediate_uid + 3 |
The second mapping step is derived by podman from the contents of the file /etc/subuid and the UID of the user starting podman.
Second mapping step:
intermediate UID | host UID |
---|---|
0 | UID for the user starting podman |
1 | 1st SUBUID from /etc/subuid |
2 | 2nd SUBUID from /etc/subuid |
3 | 3rd SUBUID from /etc/subuid |
nth | nth SUBUID from /etc/subuid |
(The SUBUIDs used from /etc/subuid are taken from the ranges belonging to the user that started podman)
Update 2022-02-14
I wrote a troubleshooting tip about Alternative 2 in the Podman documentation.