After mount a host directory can't write there. #podman #wordpress #mariadb #podman-unshare

[christianbueno1]

**Is this a BUG REPORT **

/kind bug

Description

After create the pod with a wordrpess and mariadb containers there using the scripts bellow, with configurations that allow me to read/write the wordpress volume mounted there, I can't read write there. I know that the user of the directory /var/www/html inside the wordpress container is www-data 33 and that don't need to use podman unshare against that directory.

#!/bin/bash
# create_blog.sh

set -e   #exit on most errors

#variables
wordpress_tag=${1:-christianbueno1/wordpress:602-8080}

echo "Creating the pod"
#podman pod create --name blog --infra --publish 8080:80  --network bridge 
podman pod create --name gondolrack-pod --infra --publish 8080:80 --publish 3306:3306 --network bridge
#podman pod create --name blog --infra --publish 8080:8080 

echo "Creating the mariadb container"
podman run --pod gondolrack-pod --name mariadb \
-e MARIADB_USER=chris \
-e MARIADB_PASSWORD=maGazine1! \
-e MARIADB_DATABASE=gondolrack \
-e MARIADB_ROOT_PASSWORD=maGazine1! \
--volume ./var-lib-mysql:/var/lib/mysql:Z \
-d mariadb:10.5.15

echo "Creating the wordpress container"
podman run --pod gondolrack-pod --name wordpress \
-e WORDPRESS_DB_HOST=mariadb:3306 \
-e WORDPRESS_DB_USER=chris \
-e WORDPRESS_DB_PASSWORD=maGazine1! \
-e WORDPRESS_DB_NAME=gondolrack \
--volume ./var-www-html:/var/www/html:Z \
-d ${wordpress_tag}

#run the script
#
#set UID/GUID in the database host volume with mysql id 999
#podman unshare chown 999:999 -R var-lib-mysql
#the wordpress volume does't need it
#
#./create_blog.sh christianbueno1/wordpress:602-8080
#
#./create_blog.sh <new_image_name>
#./create_blog.sh
#

Steps to reproduce the issue:

1. Create 2 directories to store the container data, the idea is can work with the wordpress volume from the host in any text editor like vscode.

#database
mkdir var-lib-mysql
#wordpress
mkdir var-www-html

  ~/Documents/containerized-wordpress/gondolrack-wordpress-pod 
❯ ll
total 12K
-rw-rw-r--. 1 chris chris  753 Oct  3 20:35 Containerfile
-rwxrw-r--. 1 chris chris 1.3K Oct  3 20:48 create_gondolrack.sh
drwxrwxr-x. 1 chris chris  266 Oct  3 22:34 var-lib-mysql
drwxr-xr-x. 1 chris chris  582 Oct  3 20:49 var-www-html

2. Use the command podman unshare with the database volume, this way the container can edit those files inside that directory. The wordpress volume or directory doesn't need it because I have to have control over those files.

podman unshare chown 999:999 -R var-lib-mysql

  ~/Documents/containerized-wordpress/gondolrack-wordpress-pod 
❯ ll
total 12K
-rw-rw-r--. 1 chris  chris   753 Oct  3 20:35 Containerfile
-rwxrw-r--. 1 chris  chris  1.3K Oct  3 20:48 create_gondolrack.sh
drwxrwxr-x. 1 100998 100998  266 Oct  3 22:34 var-lib-mysql
drwxr-xr-x. 1 chris  chris   582 Oct  3 20:49 var-www-html

3. Run the scripts, list the files there.

./create_gondolrack.sh

After run the script, list the directory and realize that the UID/GID was changed from 1000(chris) to 100032, I understand that 33(www-data) is mapped to 100032 , It is not supposed that 100032 is me.

  ~/Documents/containerized-wordpress/gondolrack-wordpress-pod 
❯ ll
total 12K
-rw-rw-r--. 1 chris  chris   753 Oct  3 20:35 Containerfile
-rwxrw-r--. 1 chris  chris  1.3K Oct  3 20:48 create_gondolrack.sh
drwxrwxr-x. 1 100998 100998  278 Oct  3 20:49 var-lib-mysql
drwxr-xr-x. 1 100032 100032  582 Oct  3 20:49 var-www-html

Describe the results you received:
The wordpress volume changes the UID/GID to 100032:10032 and can't edit the files inside it. I have to change the UID/GID with sudo to my user chris 1000 that allow me edit files from host.

sudo chown chris:chris -R var-www-html

Describe the results you expected:
That can edit those files inside the var-www-html directory, but can't and the UID/GID of the directory was change to 100032.

Additional information you deem important (e.g. issue happens only occasionally):

  ~/Documents/containerized-wordpress/gondolrack-wordpress-pod 
total 12K
-rw-rw-r--. 1 chris  chris   753 Oct  3 20:35 Containerfile
-rwxrw-r--. 1 chris  chris  1.3K Oct  3 20:48 create_gondolrack.sh
drwxrwxr-x. 1 100998 100998  278 Oct  3 20:49 var-lib-mysql
drwxr-xr-x. 1 100032 100032  582 Oct  3 20:49 var-www-html

  ~/Documents/containerized-wordpress/gondolrack-wordpress-pod                                                                                                            
❯ podman top -l user huser                     
USER        HUSER
root        1000
www-data    100032
www-data    100032
www-data    100032
www-data    100032
www-data    100032

  ~/Documents/containerized-wordpress/gondolrack-wordpress-pod                                                                                                            
❯ cd var-www-html                  

  ~/Documents/containerized-wordpress/gondolrack-wordpress-pod/var-www-html                                                                                               
❯ touch mo.txt
touch: cannot touch 'mo.txt': Permission denied

Output of podman version:

❯ podman version          
Client:       Podman Engine
Version:      4.2.0
API Version:  4.2.0
Go Version:   go1.18.4
Built:        Thu Aug 11 09:42:17 2022
OS/Arch:      linux/amd64

Output of podman info:

❯ podman info                    
host:
  arch: amd64
  buildahVersion: 1.27.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.4-2.fc36.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.4, commit: '
  cpuUtilization:
    idlePercent: 91.46
    systemPercent: 1.79
    userPercent: 6.75
  cpus: 4
  distribution:
    distribution: fedora
    variant: workstation
    version: "36"
  eventLogger: journald
  hostname: fedora
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.19.11-200.fc36.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 6269730816
  memTotal: 16555044864
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.6-2.fc36.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.6
      commit: 18cf2efbb8feb2b2f20e316520e0fd0b6c41ef4d
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-0.2.beta.0.fc36.x86_64
    version: |-
      slirp4netns version 1.2.0-beta.0
      commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 2h 22m 21.00s (Approximately 0.08 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/chris/.config/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 3
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/chris/.local/share/containers/storage
  graphRootAllocated: 132070244352
  graphRootUsed: 65875464192
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 48
  runRoot: /run/user/1000/containers
  volumePath: /home/chris/.local/share/containers/storage/volumes
version:
  APIVersion: 4.2.0
  Built: 1660228937
  BuiltTime: Thu Aug 11 09:42:17 2022
  GitCommit: ""
  GoVersion: go1.18.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.2.0

Package info (e.g. output of rpm -q podman or apt list podman or brew info podman):

❯ rpm -q podman
podman-4.2.0-2.fc36.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

No

Additional environment details (AWS, VirtualBox, physical, etc.):

❯ neofetch
             .',;::::;,'.                chris@fedora 
         .';:cccccccccccc:;,.            ------------ 
      .;cccccccccccccccccccccc;.         OS: Fedora Linux 36 (Workstation Edition) x86_64 
    .:cccccccccccccccccccccccccc:.       Kernel: 5.19.11-200.fc36.x86_64 
  .;ccccccccccccc;.:dddl:.;ccccccc;.     Uptime: 2 hours, 23 mins 
 .:ccccccccccccc;OWMKOOXMWd;ccccccc:.    Packages: 2341 (rpm), 34 (flatpak) 
.:ccccccccccccc;KMMc;cc;xMMc:ccccccc:.   Shell: bash 5.1.16 
,cccccccccccccc;MMM.;cc;;WW::cccccccc,   Resolution: 1920x1080 
:cccccccccccccc;MMM.;cccccccccccccccc:   DE: GNOME 42.5 
:ccccccc;oxOOOo;MMM0OOk.;cccccccccccc:   WM: Mutter 
cccccc:0MMKxdd:;MMMkddc.;cccccccccccc;   WM Theme: Adwaita 
ccccc:XM0';cccc;MMM.;cccccccccccccccc'   Theme: Adwaita [GTK2/3] 
ccccc;MMo;ccccc;MMW.;ccccccccccccccc;    Icons: Adwaita [GTK2/3] 
ccccc;0MNc.ccc.xMMd:ccccccccccccccc;     Terminal: gnome-terminal 
cccccc;dNMWXXXWM0::cccccccccccccc:,      CPU: Intel i5-4430 (4) @ 3.200GHz 
cccccccc;.:odl:.;cccccccccccccc:,.       GPU: NVIDIA GeForce GT 610 
:cccccccccccccccccccccccccccc:'.         Memory: 3433MiB / 15788MiB 
.:cccccccccccccccccccccc:;,..
  '::cccccccccccccc::;,.                                         
                                                                 

umask 002

[christianbueno1]

I dont't know what is the problem or if it is only the first time but after remove the pod and reset the UID/GID of var-www-html to chris and then run the script, this second time the UID/GID remains as chris 1000 and can write there using for example vscode.

sudo chown chris:chris -R var-www-html
./create_gondolrack.sh

❯ ll
total 12K
-rw-rw-r--. 1 chris  chris   753 Oct  3 20:35 Containerfile
-rwxrw-r--. 1 chris  chris  1.3K Oct  3 20:48 create_gondolrack.sh
drwxrwxr-x. 1 100998 100998  278 Oct  3 22:37 var-lib-mysql
drwxr-xr-x. 1 chris  chris   582 Oct  3 20:49 var-www-html

❯ podman top -l user huser                     
USER        HUSER
root        1000
www-data    100032
www-data    100032
www-data    100032
www-data    100032
www-data    100032

[giuseppe]

could you also specify U to the /var/lib/mysql mount? The user running inside the container is different than the user on the

[christianbueno1]

In the container the UID/GID of /var/lib/mysql is 999(mysql).

[christianbueno1]

Suddenly while working from the host in the wordpress directory mounted var-www-html it change the UID/GID to 100032:100032 preventing me to write there. The owner of that directory in the container is 33(www-data) and the host user is chris(1000).
If 100032 is in the range of 100000:65536 why can't write there and have to set the UID/GID to my user 1000(chris) every time to be able to write there.

❯ cat /etc/subuid       
chris:100000:65536
tom:165536:65536
❯ cat /etc/subgid         
chris:100000:65536
tom:165536:65536

[giuseppe]

The user 33 in the container is mapped to the user 100032 on the host. If you want the directory to be owned by your users then the directory must be writeable to other users and have mode 0777.

[christianbueno1]

It is not supposed that with podman unshare would be possible to write in shared directories and specially from the host, I have read this resources. On other hand I have run the script many times and the directories changes the UID/GID respectively var-lib-mysql, var-www-html to 100998, 100032 without taking into account don't used the command podman unshare there.
My umask is 002

[christianbueno1]

How can we use the user 100032 in the host, because can't so far, means despite use podman unshare 33:33 -R var-www-html can't write there from host.

[eriksjolund]

I think it's possible to have the containers only store files on the host with ownership of the regular user.
There are more secure ways of how to run Wordpress with Podman but at least with this way it's convenient to edit the files easily. This method also makes it possible to use directories (via bind-mount) where only the regular user has permission to write files. For example subordinate UIDs (subuids) might not be able to write in an NFS directory.

If you run the containers without using a pod, it's possible to map UID 999 in the mariadb container and UID 33 in the wordpress container to the same UID on the host.

Here I try it out by mapping them to the regular user on the host.

Alternative solution: Unix socket

#!/bin/bash

set -o errexit
set -o nounset

mkdir -p var-lib-mysql
mkdir -p var-www-html
mkdir -p run-mysqld

subuidSize=$(( $(podman info --format "{{ range .Host.IDMappings.UIDMap }}+{{.Size }}{{end }}" ) - 1 ))
subgidSize=$(( $(podman info --format "{{ range .Host.IDMappings.GIDMap }}+{{.Size }}{{end }}" ) - 1 ))

uid=999
gid=999
podman run --rm \
 -d \
 --name mariadb \
 --replace \
 --security-opt label=disable \
 -e MARIADB_USER=chris \
 -e MARIADB_PASSWORD=maGazine1! \
 -e MARIADB_DATABASE=gondolrack \
 -e MARIADB_ROOT_PASSWORD=maGazine1! \
 --uidmap $uid:0:1 \
 --uidmap 0:1:$uid \
 --uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid)) \
 --gidmap $gid:0:1 \
 --gidmap 0:1:$gid \
 --gidmap $(($gid+1)):$(($gid+1)):$(($subgidSize-$gid)) \
 --volume ./var-lib-mysql:/var/lib/mysql:Z \
  --volume ./run-mysqld:/run/mysqld:z \
	docker.io/library/mariadb

uid=33
gid=33
podman run --rm \
 --name wordpress \
  -p 8080:80 \
  -d  \
  --replace \
  -e WORDPRESS_DB_HOST=localhost:/run/mysqld/mysqld.sock \
  -e WORDPRESS_DB_USER=chris \
  -e WORDPRESS_DB_PASSWORD=maGazine1! \
  -e WORDPRESS_DB_NAME=gondolrack \
 --uidmap $uid:0:1 \
 --uidmap 0:1:$uid \
 --uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid)) \
 --gidmap $gid:0:1 \
 --gidmap 0:1:$gid \
 --gidmap $(($gid+1)):$(($gid+1)):$(($subgidSize-$gid)) \
 --volume ./var-www-html:/var/www/html:Z \
 --volume ./run-mysqld:/run/mysqld:z \
   docker.io/library/wordpress

Adding a 5 second sleep so that mariadb has time to start

$ bash wordpress_unix_socket.sh ; sleep 5
102d2622dc962797929757a314c3e1e8c9ab48cc7a58c62ec5a2a3360daea3e2
1259584ab34b8fa1ab48e0eb71d23778695cf5c469e12f9bf3b19a676798905f

$ curl -Ls localhost:8080 | grep -i "<title>"
	<title>WordPress &rsaquo; Installation</title>
$ 

Checking file ownership. No files are owned by subordinate UIDs.

$ find var-www-html/  \
         var-lib-mysql/  \
         run-mysqld/ \ 
          -not -user $(id -u)
$

I think the --uidmap and --gidmap options could be replaced with --userns keep-id:uid=$uid,gid=$gid
(It should probably mean the same thing but I haven't tested it out)

The new keep-id options uid and gid is functionality that is yet to be released in a stable Podman version
but it's already available on the podman run man page https://docs.podman.io/en/latest/markdown/podman-run.1.html#userns-mode

To clean up after this experiment run

$ podman container rm mariadb wordpress -f
$ rm -rf run-mysqld/ var-lib-mysql/ var-www-html/

Alternative solution: TCP

--- wordpress_unix_socket.sh	2022-10-09 10:11:15.823126990 +0200
+++ wordpress_network.sh	2022-10-09 10:20:24.529739229 +0200
@@ -4,9 +4,11 @@
 set -o errexit
 set -o nounset
 
+# create network if it does not exist
+podman network exists net1 || podman network create net1 
+
 mkdir -p var-lib-mysql
 mkdir -p var-www-html
-mkdir -p run-mysqld
 
 subuidSize=$(( $(podman info --format "{{ range .Host.IDMappings.UIDMap }}+{{.Size }}{{end }}" ) - 1 ))
 subgidSize=$(( $(podman info --format "{{ range .Host.IDMappings.GIDMap }}+{{.Size }}{{end }}" ) - 1 ))
@@ -14,10 +16,10 @@
 uid=999
 gid=999
 podman run --rm \
+ --network net1 \
  -d \
  --name mariadb \
  --replace \
  -e MARIADB_USER=chris \
  -e MARIADB_PASSWORD=maGazine1! \
  -e MARIADB_DATABASE=gondolrack \
@@ -29,18 +31,17 @@
  --gidmap 0:1:$gid \
  --gidmap $(($gid+1)):$(($gid+1)):$(($subgidSize-$gid)) \
  --volume ./var-lib-mysql:/var/lib/mysql:Z \
-  --volume ./run-mysqld:/run/mysqld:z \
 	docker.io/library/mariadb
 
 uid=33
 gid=33
 podman run --rm \
+ --network net1 \
  --name wordpress \
   -p 8080:80 \
   -d  \
   --replace  \
-  -e WORDPRESS_DB_HOST=localhost:/run/mysqld/mysqld.sock \
+  -e WORDPRESS_DB_HOST=mariadb \
   -e WORDPRESS_DB_USER=chris \
   -e WORDPRESS_DB_PASSWORD=maGazine1! \
   -e WORDPRESS_DB_NAME=gondolrack \
@@ -51,5 +52,4 @@
  --gidmap 0:1:$gid \
  --gidmap $(($gid+1)):$(($gid+1)):$(($subgidSize-$gid)) \
  --volume ./var-www-html:/var/www/html:Z \
- --volume ./run-mysqld:/run/mysqld:z \
   docker.io/library/wordpress

$ bash wordpress_network.sh ; sleep 5
d792a8c237a2e772cba947e4e0a239e13fff3bd8f6177a6387fea72bb5bfaed9
9b3870a1e1892f82b25fcca2a574f8bdf1e692b82cb5740c25f816e53608581f
$

$ curl -Ls localhost:8080 | grep -i "<title>"
	<title>WordPress &rsaquo; Installation</title>
$

To clean up after this experiment run

$ podman container rm mariadb wordpress -f
$ rm -rf var-lib-mysql/ var-www-html/

[rhatdan]

@giuseppe I thought we added a flag to set this mapping. IE To map the users UID to the UID of the containers primary UID?

[giuseppe]

yes, as mentioned in the original post, you can override the UID and the GID used by keep-id with uid and gid, e.g. podman run --userns auto:uid=1000,gid=1000

[christianbueno1]

It is the Containerfile used to build christianbueno1/wordpress:602-8080.
It only add port 8080 to the Apache server.

ARG wordpress_image=wordpress:6.0.2-php7.4-apache

FROM $wordpress_image

#ARG newport=49152
ARG port=8080

LABEL maintainer="Christian Bueno <[email protected]>" 

RUN cd /etc/apache2/; \
sed -i "/Listen 80/aListen $port" ports.conf; \
cd /etc/apache2/sites-available/; \
sed -i "s/:80/*:*/" 000-default.conf
#RUN && rm -rf /var/lib/apt/lists/*

#check if exits bash in the image
# CMD ["/bin/bash", "-c", "./alterhttpd.sh"]

EXPOSE $port

CMD ["apache2-foreground"]

# podman build --build-arg port=8082 --build-arg wordpress_image=wordpress:6.0.2-php7.4-apache -t christianbueno1/wordpress:602-8082 -f Containerfile
# podman build -t christianbueno1/wordpress:602-8080 -f Containerfile
# podman build -t <new_image_name:version> -f Containerfile

How to use the Containerfile

podman build -t christianbueno1/wordpress:602-8080 -f Containerfile