podman: map container user to host user for shared volume permissions

Robert Munteanu

11/28/23, 10:13 AM

I am trying to set up gitea using podman. I would like to have

the data volume mapped to a host directory, because it allows me to easily inspect and backup the data
the container process executed by a specific host user

Podman is executed by the root user, mostly because of the problems I had with podman generate systemd --new and rootless containers ( see systemd User= directive not supported, why? and support User= in systemd for running rootless services).

To achieve the mapping with rootfull containers started mapping all the in-use container uids and gids to the host's gitea user. I ended up with something like

podman run --rm \
    --uidmap=0:$(id -u gitea):1 \
    --gidmap=0:$(id -g gitea):1 \
    --uidmap=1000:$(id -u gitea):1 \
    --gidmap=1000:$(id -g gitea):1 \
    --gidmap=42:$(id -g gitea):1 \
    --volume /srv/gitea/data:/var/lib/gitea \
    docker.io/gitea/gitea:1.18.0-rc1-rootless

The output that I get is

WARN[0000] Path "/etc/SUSEConnect" from "/etc/containers/mounts.conf" doesn't exist, skipping 
WARN[0000] Path "/etc/zypp/credentials.d/SCCcredentials" from "/etc/containers/mounts.conf" doesn't exist, skipping 
Error: OCI runtime error: runc create failed: unable to start container process: can't get final child's PID from pipe: EOF

I succesfully ran other podman containers despite the path warnings, so I think they can be ignored.

I am running podman version 3.4.7 on openSUSE Leap 15.3 .

How can I run this container, while mapping all the in-use uids and gids to a specific host user/group?

1604

1 + 0

opensuse

podman

gitea

Score:3

Server

Robert Munteanu

11/28/23, 4:58 PM

The root cause seems to have been trying to map multiple container uids ( and gids ) to the a single uid/gid to the host. So I was trying to map ( container to host ):

UID 0 → gitea
GID 0 → gitea
UID 1000 → gitea
GID 1000 → gitea
GID 42 → gitea

Instead I am know falling back to a different mapping, where just the 1000 UID/GID pair, the one actually running the Gitea app, is mapped to the host user, and others receive a different UID range using

    --uidmap=0:10000:999 \
    --gidmap=0:10000:999 \
    --uidmap=1000:$(id -u gitea):1 \
    --gidmap=1000:$(id -g gitea):1 \

This means that we have the following mappings

UIDs 0-999 → 10000-10999
GIDs 0-999 → 10000-10999
UID 1000 → gitea
GID 1000 → gitea

With this change, the container starts up successfully and the permissions on the host are as expected.

+ 2

Erik Sjölund

11/29/23, 9:29 AM

A side-note: Podman 4.3 introduced the options _uid_ and _gid_ that can be used as `--userns=keep-id:uid=$uid,gid=$gid`. That could be used as an alternative to using __--uidmap__ and __--gidmap__ (see https://github.com/containers/podman/blob/main/troubleshooting.md#39-podman-run-fails-with-error-unrecognized-namespace-mode-keep-iduid1000gid1000-passed)

Robert Munteanu

11/30/23, 3:33 PM

Thanks for the info @ErikSjölund, will take a look once openSUSE updates, probably around Leap 15.5, as the latest (Tumbleweed) version has podman 4.2.1 .

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: podman: map container user to host user for shared volume permissions

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.