sharing (user owned) directory/files between rootless podman (userns=auto) and host

[BinaryKhaos]

I apologize in advance for misusing the issue tracker (which I normal would frown upon myself and also refrain from doing) but I asked this ages ago on the Discord channel and never received any feedback and all my own research did not lead me to any real solution or good information on that subject. :-(

Given the following situation:

• rootless podman
• userns=auto (so $UID is not mapped into the container at all)
• inside container: commands run as non-root user

How can I share directories/files seamlessly (without hefty ACL trickery and group magic that does not scale nor without r(w) access for all nor without chowning the directory)?

An idmap (rbind) mount would be ideal but, if I read fs/namespace.c in the kernel sources correctly, that still requires CAP_SYS_ADMIN which kinda defeats the purpose of it all. I tried somehow getting this to work with (fuse) overlayfs but I got nowhere thus far.

Is there any way to do this at all with rootless podman or is running podman as root the only solution?

podman info:

host:
  arch: amd64
  buildahVersion: 1.29.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: app-containers/conmon-2.1.6
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.1.6, commit: v2.1.6'
  cpuUtilization:
    idlePercent: 81.48
    systemPercent: 5.03
    userPercent: 13.49
  cpus: 8
  distribution:
    distribution: gentoo
    version: "2.13"
  eventLogger: journald
  hostname: TARDIS
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.2.2-230307-r1
  linkmode: dynamic
  logDriver: journald
  memFree: 15840677888
  memTotal: 33596272640
  networkBackend: cni
  ociRuntime:
    name: crun
    package: app-containers/crun-1.8.1
    path: /usr/bin/crun
    version: |-
      crun version 1.8.1
      commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: app-containers/slirp4netns-1.2.0
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 6h 52m 38.00s (Approximately 0.25 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: docker.io
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: docker.io
    PullFromMirror: ""
  localhost:5000:
    Blocked: false
    Insecure: true
    Location: localhost:5000
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: localhost:5000
    PullFromMirror: ""
  search:
  - docker.io
  - quay.io
  - registry.fedoraproject.org
store:
  configFile: /home/matthew/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: sys-fs/fuse-overlayfs-1.10
      Version: |-
        fusermount3 version: 3.14.0
        fuse-overlayfs: version 1.10
        FUSE library version 3.14.0
        using FUSE kernel interface version 7.38
  graphRoot: /home/matthew/.local/share/containers/storage
  graphRootAllocated: 1978033311744
  graphRootUsed: 759315042304
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/matthew/.local/share/containers/storage/volumes
version:
  APIVersion: 4.4.1
  Built: 1676880362
  BuiltTime: Mon Feb 20 09:06:02 2023
  GitCommit: 34e8f3933242f2e566bbbbf343cf69b7d506c1cf
  GoVersion: go1.20.1
  Os: linux
  OsArch: linux/amd64
  Version: 4.4.1

[mheon]

I think you’ve hit the nail on the head: this requires idmap, but the kernel restricts this to root for the moment. There is talk of relaxing this restriction, but I don’t think this is going to happen any time soon, unfortunately. Until then, root and chown are the only option.

…

On Mon, Mar 13, 2023 at 09:41 Matthias Dahl ***@***.***> wrote: I apologize in advance for misusing the issue tracker (which I normal would frown upon myself and also refrain from doing) but I asked this ages ago on the Discord channel and never received any feedback and all my own research did not lead me to any real solution or good information on that subject. :-( Given the following situation: - rootless podman - userns=auto (so $UID is not mapped into the container at all) - inside container: commands run as non-root user How can I share directories/files seamlessly (without hefty ACL trickery and group magic that does not scale nor without r(w) access for all nor without chowning the directory)? An idmap (rbind) mount would be ideal but, if I read fs/namespace.c in the kernel sources correctly, that still requires CAP_SYS_ADMIN which kinda defeats the purpose of it all. I tried somehow getting this to work with (fuse) overlayfs but I got nowhere thus far. Is there any way to do this at all with rootless podman or is running podman as root the only solution? podman info: host: arch: amd64 buildahVersion: 1.29.0 cgroupControllers: - memory - pids cgroupManager: systemd cgroupVersion: v2 conmon: package: app-containers/conmon-2.1.6 path: /usr/libexec/podman/conmon version: 'conmon version 2.1.6, commit: v2.1.6' cpuUtilization: idlePercent: 81.48 systemPercent: 5.03 userPercent: 13.49 cpus: 8 distribution: distribution: gentoo version: "2.13" eventLogger: journald hostname: TARDIS idMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 kernel: 6.2.2-230307-r1 linkmode: dynamic logDriver: journald memFree: 15840677888 memTotal: 33596272640 networkBackend: cni ociRuntime: name: crun package: app-containers/crun-1.8.1 path: /usr/bin/crun version: |- crun version 1.8.1 commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30 rundir: /run/user/1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL os: linux remoteSocket: path: /run/user/1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: app-containers/slirp4netns-1.2.0 version: |- slirp4netns version 1.2.0 commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383 libslirp: 4.7.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.4 swapFree: 0 swapTotal: 0 uptime: 6h 52m 38.00s (Approximately 0.25 days) plugins: authorization: null log: - k8s-file - none - passthrough - journald network: - bridge - macvlan - ipvlan volume: - local registries: docker.io: Blocked: false Insecure: false Location: docker.io MirrorByDigestOnly: false Mirrors: null Prefix: docker.io PullFromMirror: "" localhost:5000: Blocked: false Insecure: true Location: localhost:5000 MirrorByDigestOnly: false Mirrors: null Prefix: localhost:5000 PullFromMirror: "" search: - docker.io - quay.io - registry.fedoraproject.org store: configFile: /home/matthew/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: sys-fs/fuse-overlayfs-1.10 Version: |- fusermount3 version: 3.14.0 fuse-overlayfs: version 1.10 FUSE library version 3.14.0 using FUSE kernel interface version 7.38 graphRoot: /home/matthew/.local/share/containers/storage graphRootAllocated: 1978033311744 graphRootUsed: 759315042304 graphStatus: Backing Filesystem: extfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "false" imageCopyTmpDir: /var/tmp imageStore: number: 1 runRoot: /run/user/1000/containers transientStore: false volumePath: /home/matthew/.local/share/containers/storage/volumes version: APIVersion: 4.4.1 Built: 1676880362 BuiltTime: Mon Feb 20 09:06:02 2023 GitCommit: 34e8f39 GoVersion: go1.20.1 Os: linux OsArch: linux/amd64 Version: 4.4.1 — Reply to this email directly, view it on GitHub <#17753>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCAXHRCNZQ2AH3TBM3TW34PXPANCNFSM6AAAAAAVZC6OEE> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[BinaryKhaos]

Sigh. Thanks. I was afraid there was not much else to do-- except for some hefty ACL trickery and such. Would have been nice if at least there was a way to get this working with overlayfs or some other trick.

Guess I will have to completely re-think my plans and come up with some alternatives. Running rootful podman as non-root user via sudo is not very appealing to me since it comes with its own share of problems and possible securities issues that was trying to avoid.