Rootless Podman container volume permissions

[hmntsharma]

Hi,

The z,Z flag prevents the permission denied error and the containers can read and write to the bind mount files but then the host loses the access to the same and without root, there is no way to make changes.

Is there a way to ensure the host as well as the container both have read-write access to the files and folders even after mounting (bind)?

Thanks!!

[rhatdan]

The host does not loose access to the files, users on the host have full control over their content.
So yes you continue to have read-write access on the host, in the VM and if the container volume was relabeled inside of the container.

SELinux is not enforced on the host if the host is a Mac Or Windows, so relabeling has no effect to users on these hosts. The user processes within the VM run as the unconfined_t user so they have full access. It is only the container processes which are confined.

[hmntsharma]

The user inside a grafana container is as follows:

bash-5.1$ id
uid=472(grafana) gid=0(root) groups=0(root)
bash-5.1$

The subuid on the host:

$ cat /etc/subgid
lab:100000:65536
$ 

And the following argument with podman does allow grafana container to make changes to the host directory

-v grafana/provisioning:/etc/grafana/provisioning:U,Z

but then the permissions are changed and without sudo the host cannot change the files

drwxr-x---. 3 100471 wheel      15 Jan 29 19:10 alerting
drwx------. 2 100471 wheel       6 Jan 29 19:10 csv
drwxr-xr-x. 4 100471 wheel      33 Jan 29 19:09 dashboards
-rw-r-----. 1 100471 wheel 1277952 Jan 30 13:30 grafana.db
drwxr-xr-x. 7 100471 wheel    4096 Jan 27 15:22 plugins
drwx------. 2 100471 wheel       6 Jan 29 19:10 png
drwxr-xr-x. 4 100471 wheel      43 Jan 29 19:09 provisioning

example:

$ rm grafana.db
rm: remove write-protected regular file 'grafana.db'? yes
rm: cannot remove 'grafana.db': Permission denied
$

How do we get control of the directory from the host, once the container is deployed?

[xelarro]

You just have to precede with "podman unshare" the command you need to do over those files, eg "podman unshare rm grafana.db"

[hmntsharma]

That works!!. Thank you very much @Garbanzo247 .