How to specify a gid and uid for a mapped block device?

[mailinglists35]

I am trying to run libvirt+qemu inside podman, as a fedora image. It runs fine with a minimum generated vm by virt-manager running on oracle linux 9.2 host, minus network device.

But I need to map a block device from the host, and then libvirt attempts to chown it because is owned by uid/gid nobody with 0770, and it fails

[root@3753b5ec2e03 dev]# cd /dev/
[root@3753b5ec2e03 dev]# mkdir -p zvol/vm/
[root@3753b5ec2e03 dev]# ln -s zd1040 zvol/vm/mojave
[root@3753b5ec2e03 dev]# ls -l zd1040
brw-rw----. 1 nobody nobody 230, 1040 Jun 18 02:32 zd1040

[root@3753b5ec2e03 dev]# virsh start macos-mojave-10.14
error: Failed to start domain 'macos-mojave-10.14'
error: unable to set user and group to '107:107' on '/dev/zvol/vm/mojave': Permission denied

How can I specify the uid and gid of the mapped block device inside the container to 107:107 to keep libvirt happy? (assuming my user id has access rights to host real block device via membership in group disk). I don't mind security, I can run the podman as root if that's a solution, all I care is to be able to run the fedora libvirt and qemu processes because the one on el9 host has lots of cut features.

[rhatdan]

In a rootless container or a container within a separate user namespace, all UIDs not mapped to the user namespace will be mapped as the nobody user. Privileged processes within the container can not chown files owned by nobody.

If you want these files to be chownable then the host UID would need to be mapped within the user namespace.

[mailinglists35]

the host UID would need to be mapped within the user namespace

how exactly do I do that?
For example in the bare metal host (enterprise linux 9.2), libvirt/qemu is able to open this device:

$ ls -l /dev/md127
brw-rw----. 1 root root 9, 127 Jun 22 13:22 /dev/md127

but on container (fedora 38), it wants to chown it first to 107:107 (qemu:qemu)

# id 107
uid=107(qemu) gid=107(qemu) groups=107(qemu),36(kvm)

my uid/gid on host is 1000/1000, and I have not myself edited /etc/subuid nor /etc/subgid, but I see my myuser username there, and neither have I put the sambashare user in there:

$ cat /etc/subuid
myuser:100000:65536
sambauser:165536:65536

$ cat /etc/subgid
myuser:100000:65536
sambauser:165536:65536

[mailinglists35]

I'm sorry if this might seem something basic or obvious but I've read and reread the documentation and manpages but I'm still I'm scratching my head unable to figure it out.

[mailinglists35]

@rhatdan ?

[rhatdan]

You could add

myuser:107:1
To each file. And then you would need to futz around with --uidmap and --gidmap to get it to work.

But can you get libvirt/qemu to stop attempting to chown the UID/GID of the files?

[rhatdan]

@berrange WDYT?