Behavior of podman:4.2.0 without privileged create folder with d---------

Question

My Dockerfile,

FROM quay.io/podman/stable:v4.2.0
USER podman
RUN mkdir -p /home/podman/.local/share/containers

$podman build -t test .

$podman volume create vol2
$podman run -it --device /dev/fuse -v vol2:/home/podman/.local/share/containers:z test /bin/bash

[podman@e38f3aed5158 /]$id
uid=1000(podman) gid=1000(podman) groups=1000(podman)
[podman@e38f3aed5158 /]$
[podman@e38f3aed5158 /]$cat /etc/subuid /etc/subgid
podman:1:999
podman:1001:64535
podman:1:999
podman:1001:64535

[podman@e38f3aed5158 /]$ cd /tmp
echo 'FROM busybox' > Dockerfile
echo 'RUN echo hello' >> Dockerfile
podman build -t test .
WARN[0000] Failed to remove check directory /home/podman/.local/share/containers/storage/overlay/metacopy-check1039970918: fstatat /home/podman/.local/share/containers/storage/overlay/metacopy-check1039970918/work/work/#7e9: permission denied
WARN[0000] Failed to remove check directory /home/podman/.local/share/containers/storage/overlay/opaque-bug-check3330730474: fstatat /home/podman/.local/share/containers/storage/overlay/opaque-bug-check3330730474/work/work/#7eb: permission denied
STEP 1/2: FROM busybox
WARN[0000] Found incomplete layer "2be83a3d943c678d79fc9b44f1297dc1c5f7f949593f904272cb4940f53779af", deleting it
WARN[0000] Found incomplete layer "2be83a3d943c678d79fc9b44f1297dc1c5f7f949593f904272cb4940f53779af", deleting it
ERRO[0000] Image busybox exists in local storage but may be corrupted (remove the image to resolve the issue): fstatat /home/podman/.local/share/containers/storage/overlay/2be83a3d943c678d79fc9b44f1297dc1c5f7f949593f904272cb4940f53779af/work/work/#7bb: permission denied
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
WARN[0001] Found incomplete layer "2be83a3d943c678d79fc9b44f1297dc1c5f7f949593f904272cb4940f53779af", deleting it
Error: creating build container: copying system image from manifest list: trying to reuse blob sha256:205dae5015e78dd8c4d302e3db4eb31576fac715b46d099fe09680ba28093a7a at destination: looking for layers with digest "sha256:205dae5015e78dd8c4d302e3db4eb31576fac715b46d099fe09680ba28093a7a": fstatat /home/podman/.local/share/containers/storage/overlay/2be83a3d943c678d79fc9b44f1297dc1c5f7f949593f904272cb4940f53779af/work/work/#7bb: permission denied
[podman@e38f3aed5158 tmp]$ ls -la /home/podman/.local/share/containers/storage/overlay/2be83a3d943c678d79fc9b44f1297dc1c5f7f949593f904272cb4940f53779af/work
total 0
drwx------. 3 podman podman 18 Jan 29 03:36 .
drwx------. 3 podman podman 18 Jan 29 03:36 ..
d---------. 2 podman podman 18 Jan 29 03:36 work
[podman@e38f3aed5158 tmp]$ chmod 775 -R /home/podman/.local/share/containers/storage/overlay/2be83a3d943c678d79fc9b44f1297dc1c5f7f949593f904272cb4940f53779af/work
chmod: cannot access '/home/podman/.local/share/containers/storage/overlay/2be83a3d943c678d79fc9b44f1297dc1c5f7f949593f904272cb4940f53779af/work/work/#7bb': Permission denied
[podman@e38f3aed5158 tmp]$

If I run with privilege,

podman run --privileged -it --device /dev/fuse -v vol3:/home/podman/.local/share/containers:z test /bin/bash

It will work. Is podman-rootless-without-privileged suppose to work with a folder d--------- ?

Or it's really impossible with podman-rootless-user-podman-unprivileged to work?

score 0 · Answer 1 · answered Jan 29 '23 at 17:03

This work,

podman run -u podman --rm -it --net=host --security-opt label=disable --security-opt seccomp=unconfined --device /dev/fuse:rw -v vol2:/var/lib/containers:Z --privileged  quay.io/podman/stable /bin/bash
[podman@localhost /]$ id
uid=1000(podman) gid=1000(podman) groups=1000(podman)
[podman@localhost /]$ cd /tmp
echo 'FROM busybox' > Dockerfile
echo 'RUN echo hello' >> Dockerfile
podman build -t test .
STEP 1/2: FROM busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 205dae5015e7 done
Copying config 66ba00ad3d done
Writing manifest to image destination
Storing signatures
STEP 2/2: RUN echo hello
hello
COMMIT test
--> 2964b4f17aa
Successfully tagged localhost/test:latest
2964b4f17aa743a639d886fa906d28dc2f51ce8895a948a44cc6ddc6bec98f44
[podman@localhost tmp]$

My mistake there's a privileged. I think there's no answer to this. — uniwinux, Jan 29 '23 at 17:05
Got it, podman run --user podman -it --security-opt label=disable --security-opt unmask=ALL --device /dev/fuse -ti quay.io/podman/stable /bin/bash — uniwinux, Jan 29 '23 at 17:27

Behavior of podman:4.2.0 without privileged create folder with d---------

1 Answers1

Linked