0

I am running the docker.io/library/mariadb:latest image using podman on Centos 8. I am mounting a volume on host for persistent storage for the database. I understand that the directory ownership on the host must be changed for the user inside the container to gain rw access. So we use podman's unshare command for that purpose. The user in mariadb is called mysql. If we enter

podman unshare chown mysql:mysql /path/to/host

This will error:

chown: invalid user: ‘mysql:mysql’

Which makes sense because mysql user does not exist on host. We must provide the UID for that purpose. This information is usually obtained from a running container and look up for mysql in /etc/passwd

 podman run docker.io/library/mariadb grep mysql /etc/passwd

And the UID/GID is 999:999 from the output below.

mysql:x:999:999::/home/mysql:/bin/sh

Now we can chown using the UID on the host

podman unshare chown 999:999 /path/to/host

And this works.

But, how can we obtain this information without running the container?

I have inspected the image and cannot find explicit UID:GID assigned. The reason for this question is to implement automated provisioning/setup of infrastructure without worrying about manual steps.

Muzammil
  • 417
  • 1
  • 4
  • 20

1 Answers1

0

The easiest way to deal with this situation is to use a named volume, rather than a bind mount. For example, if we run...

podman run -it --rm -v mariadb_data:/var/lib/mysql \
  -e MYSQL_ROOT_PASSWORD=secret  mariadb:latest

...then the container will start up without any errors. This form of the -v option causes podman to create a named volume, rather than using a specific existing host directory as we would with a bind mount.

When mounting a named volume, the ownership of the volume is set to the UID under which the main container process is running, so it has the correct permissions by default.

This gets you pretty much all the advantages of using a bind mount -- that is, the database data is maintained outside of the container filesystem and will persist even if the container is deleted -- without needing to muck about with permissions.

larsks
  • 277,717
  • 41
  • 399
  • 399
  • That works. But this expects the named volume already exists. Do you know if we can create the named volume in a kube file along with running the containers? – Muzammil Mar 04 '21 at 12:47
  • This does *not* assume the named volume already exists. It will *create* the volume if it does not exist, as noted in the answer. You mentioned a "kube file", and if you're using Kubernetes this is probably not the answer you should be looking at. – larsks Mar 04 '21 at 19:18
  • I'm using kube files for podman actually. I don't think named volume can be created through kube files. Thanks for your help – Muzammil Mar 05 '21 at 20:08