podman: map container user to host user for shared volume permissions

in flag

I am trying to set up gitea using podman. I would like to have

  • the data volume mapped to a host directory, because it allows me to easily inspect and backup the data
  • the container process executed by a specific host user

Podman is executed by the root user, mostly because of the problems I had with podman generate systemd --new and rootless containers ( see systemd User= directive not supported, why? and support User= in systemd for running rootless services).

To achieve the mapping with rootfull containers started mapping all the in-use container uids and gids to the host's gitea user. I ended up with something like

podman run --rm \
    --uidmap=0:$(id -u gitea):1 \
    --gidmap=0:$(id -g gitea):1 \
    --uidmap=1000:$(id -u gitea):1 \
    --gidmap=1000:$(id -g gitea):1 \
    --gidmap=42:$(id -g gitea):1 \
    --volume /srv/gitea/data:/var/lib/gitea \

The output that I get is

WARN[0000] Path "/etc/SUSEConnect" from "/etc/containers/mounts.conf" doesn't exist, skipping 
WARN[0000] Path "/etc/zypp/credentials.d/SCCcredentials" from "/etc/containers/mounts.conf" doesn't exist, skipping 
Error: OCI runtime error: runc create failed: unable to start container process: can't get final child's PID from pipe: EOF

I succesfully ran other podman containers despite the path warnings, so I think they can be ignored.

I am running podman version 3.4.7 on openSUSE Leap 15.3 .

How can I run this container, while mapping all the in-use uids and gids to a specific host user/group?

in flag

The root cause seems to have been trying to map multiple container uids ( and gids ) to the a single uid/gid to the host. So I was trying to map ( container to host ):

  • UID 0 → gitea
  • GID 0 → gitea
  • UID 1000 → gitea
  • GID 1000 → gitea
  • GID 42 → gitea

Instead I am know falling back to a different mapping, where just the 1000 UID/GID pair, the one actually running the Gitea app, is mapped to the host user, and others receive a different UID range using

    --uidmap=0:10000:999 \
    --gidmap=0:10000:999 \
    --uidmap=1000:$(id -u gitea):1 \
    --gidmap=1000:$(id -g gitea):1 \

This means that we have the following mappings

  • UIDs 0-999 → 10000-10999
  • GIDs 0-999 → 10000-10999
  • UID 1000 → gitea
  • GID 1000 → gitea

With this change, the container starts up successfully and the permissions on the host are as expected.

in flag
A side-note: Podman 4.3 introduced the options _uid_ and _gid_ that can be used as `--userns=keep-id:uid=$uid,gid=$gid`. That could be used as an alternative to using __--uidmap__ and __--gidmap__ (see
Robert Munteanu avatar
in flag
Thanks for the info @ErikSjölund, will take a look once openSUSE updates, probably around Leap 15.5, as the latest (Tumbleweed) version has podman 4.2.1 .
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.