2

I am trying to set up gitea using podman. I would like to have

  • the data volume mapped to a host directory, because it allows me to easily inspect and backup the data
  • the container process executed by a specific host user

Podman is executed by the root user, mostly because of the problems I had with podman generate systemd --new and rootless containers ( see systemd User= directive not supported, why? and support User= in systemd for running rootless services).

To achieve the mapping with rootfull containers started mapping all the in-use container uids and gids to the host's gitea user. I ended up with something like

podman run --rm \
    --uidmap=0:$(id -u gitea):1 \
    --gidmap=0:$(id -g gitea):1 \
    --uidmap=1000:$(id -u gitea):1 \
    --gidmap=1000:$(id -g gitea):1 \
    --gidmap=42:$(id -g gitea):1 \
    --volume /srv/gitea/data:/var/lib/gitea \
    docker.io/gitea/gitea:1.18.0-rc1-rootless

The output that I get is

WARN[0000] Path "/etc/SUSEConnect" from "/etc/containers/mounts.conf" doesn't exist, skipping 
WARN[0000] Path "/etc/zypp/credentials.d/SCCcredentials" from "/etc/containers/mounts.conf" doesn't exist, skipping 
Error: OCI runtime error: runc create failed: unable to start container process: can't get final child's PID from pipe: EOF

I succesfully ran other podman containers despite the path warnings, so I think they can be ignored.

I am running podman version 3.4.7 on openSUSE Leap 15.3 .

How can I run this container, while mapping all the in-use uids and gids to a specific host user/group?

Robert Munteanu
  • 1,644
  • 5
  • 23
  • 41

1 Answers1

3

The root cause seems to have been trying to map multiple container uids ( and gids ) to the a single uid/gid to the host. So I was trying to map ( container to host ):

  • UID 0 → gitea
  • GID 0 → gitea
  • UID 1000 → gitea
  • GID 1000 → gitea
  • GID 42 → gitea

Instead I am know falling back to a different mapping, where just the 1000 UID/GID pair, the one actually running the Gitea app, is mapped to the host user, and others receive a different UID range using

    --uidmap=0:10000:999 \
    --gidmap=0:10000:999 \
    --uidmap=1000:$(id -u gitea):1 \
    --gidmap=1000:$(id -g gitea):1 \

This means that we have the following mappings

  • UIDs 0-999 → 10000-10999
  • GIDs 0-999 → 10000-10999
  • UID 1000 → gitea
  • GID 1000 → gitea

With this change, the container starts up successfully and the permissions on the host are as expected.

Robert Munteanu
  • 1,644
  • 5
  • 23
  • 41
  • 2
    A side-note: Podman 4.3 introduced the options _uid_ and _gid_ that can be used as `--userns=keep-id:uid=$uid,gid=$gid`. That could be used as an alternative to using __--uidmap__ and __--gidmap__ (see https://github.com/containers/podman/blob/main/troubleshooting.md#39-podman-run-fails-with-error-unrecognized-namespace-mode-keep-iduid1000gid1000-passed) – Erik Sjölund Nov 29 '22 at 09:29
  • Thanks for the info @ErikSjölund, will take a look once openSUSE updates, probably around Leap 15.5, as the latest (Tumbleweed) version has podman 4.2.1 . – Robert Munteanu Nov 30 '22 at 15:33