Podman rootless container: Accessing external volumes is cumbersome

podman

I want to access directories on the host system from inside a rootless podman container. When using external volumes with podman rootless containers, the user who accesses the external volumes has a subuid and subgid of the user who invoked podman. Which user id depends on the sub-id range of the invoking user and the internal user in the OCI container. The only way I found to give this sub-user access to external volumes (besides just making the folder writable by everyone on the host system) is to chown the directory directly to that sub-user id. Is there a better way to do this which does not involve me manually checking /etc/subgid and also the user in the conainer?


Solution 1:

Alternative 1

Podman 3.1.0 (released in March 2021) introduced the new suffix :U to the --volume command-line option.

Quote from the man page:

The :U suffix tells Podman to use the correct host UID and GID based on the UID and GID within the container, to change recursively the owner and group of the source volume.

Alternative 2 (recommended)

Instead of changing the ownership you might be able to map the container UID to the host UID that currently owns the files in the volume. The command-line options for that are --uidmap and --gidmap:

The --uidmap option provides a way for the user to map container UIDs to host UIDs. Container UIDs are though not directly mapped to host UIDs. Instead the mapping happens over two mapping steps:

container UID -> intermediate UID -> host UID

The first mapping step can be configured with --uidmap. The amount specifies the number of consecutive UIDs that will be mapped.

If for example amount is 4 the first mapping step would look like:

container UID intermediate UID
container_uid intermediate_uid
container_uid + 1 intermediate_uid + 1
container_uid + 2 intermediate_uid + 2
container_uid + 3 intermediate_uid + 3

The second mapping step is derived by podman from the contents of the file /etc/subuid and the UID of the user starting podman.

Second mapping step:

intermediate UID host UID
0 UID for the user starting podman
1 1st SUBUID from /etc/subuid
2 2nd SUBUID from /etc/subuid
3 3rd SUBUID from /etc/subuid
nth nth SUBUID from /etc/subuid

(The SUBUIDs used from /etc/subuid are taken from the ranges belonging to the user that started podman)

Update 2022-02-14

I wrote a troubleshooting tip about Alternative 2 in the Podman documentation.

Related

One word to describe this type of embarrassment
Add custom header to all responses in Web API
Is it correct to write 'valuable asset'?
How to rollback everything to previous commit
Define "plate" from Sweeney Todd musical
Word for "the people who lose in a battlefield"?
Failure to do something out of fear
Is this an IIS issue or a Database Issue? Non Concurrent collections must have exclusive access
Bacula storage daemon won't write to labeled volume
SSH tunnel attempt. Unable to establish SSH connection without actual shell. (Arch Linux)
"It worked for me in high school and it's been a reflex ever since"? [closed]
Apache2: Disable web services and only use mod_proxy