Frère Jacques

I didn't expect #rootless #podman to be such a rabbit hole nightmare.

It appears to be impossible to get the permissions right for a mounted folder for which the user starting the container has reading rights on the host via being in the group the files belong to.

I thought that is just a very basic use case. Probably I will just use docker again.

Feb 15 at 5:27pmWeb
Show threadzSchön Feb 15
@frere_jacques This is the reason why I don’t yet have my homeserver up and running.
Show threadFrère JacquesFeb 15

@TheAlgorythm
Really? How long are you fiddling around with that?

I had the idea to try out k3s to get familar with k8s and then I thought maybe it's too much. Just stick with basic containers, but hey why don't use podman.

Show threadFrère JacquesFeb 15

@TheAlgorythm
After a really long time being busy with other stuff I finally got a dns problem solved and have now letsencrypt working with traefik.

I just thought I take the compose yaml for my emby server and then it's done. But this is a bummer.

Show threadzSchön Feb 15
@frere_jacques Just for a few days or maybe two weeks. But it was in a semester break so I didn’t want to waste more time and the later was never.
My problem is that I want the best security I can get and then I couldn’t choose another solution. I‘ve wanted rootless podman containers spread across multiple CoreOS VMs with VirtFS storage from the Proxmox host. And VirtFS can’t work with security labels or something like that.
Show threadFrère JacquesFeb 15

@TheAlgorythm
At the service add:

annotations:
run.oci.keep_original_groups: '1'

And on top level of the yaml add:
x-podman:
gidmaps:
- "+g<gid>:@<gid>

then add on the host the mapping for the container user in /etc/subgid to map the group from host to container.