Startup PermissionError on bind mounts with rootless Podman

[prateeknischal]

I am trying to run the compose using podman in rootless mode. I see the following error,

[yubal] | [15:13:10] INFO     uvicorn.error - Started server process [1]
[yubal] |            INFO     uvicorn.error - Waiting for application startup.
[yubal] |            INFO     yubal_api.api.app - Starting application...
[yubal] | [15:13:11] ERROR    uvicorn.error - Traceback (most recent call last):
[yubal] |                       File
[yubal] |                     "/app/.venv/lib/python3.12/site-packages/starlette/routing.p
[yubal] |                     y", line 694, in lifespan
[yubal] |                         async with self.lifespan_context(app) as maybe_state:
[yubal] |                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^
[yubal] |                       File "/usr/local/lib/python3.12/contextlib.py", line 210,
[yubal] |                     in __aenter__
[yubal] |                         return await anext(self.gen)
[yubal] |                                ^^^^^^^^^^^^^^^^^^^^^
[yubal] |                       File
[yubal] |                     "/app/.venv/lib/python3.12/site-packages/fastapi/routing.py"
[yubal] |                     , line 201, in merged_lifespan
[yubal] |                         async with original_context(app) as
[yubal] |                     maybe_original_state:
[yubal] |                                    ^^^^^^^^^^^^^^^^^^^^^
[yubal] |                       File "/usr/local/lib/python3.12/contextlib.py", line 210,
[yubal] |                     in __aenter__
[yubal] |                         return await anext(self.gen)
[yubal] |                                ^^^^^^^^^^^^^^^^^^^^^
[yubal] |                       File
[yubal] |                     "/app/.venv/lib/python3.12/site-packages/yubal_api/api/app.p
[yubal] |                     y", line 208, in lifespan
[yubal] |                         await asyncio.to_thread(run_migrations)
[yubal] |                       File "/usr/local/lib/python3.12/asyncio/threads.py", line
[yubal] |                     25, in to_thread
[yubal] |                         return await loop.run_in_executor(None, func_call)
[yubal] |                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[yubal] |                       File
[yubal] |                     "/usr/local/lib/python3.12/concurrent/futures/thread.py",
[yubal] |                     line 59, in run
[yubal] |                         result = self.fn(*self.args, **self.kwargs)
[yubal] |                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[yubal] |                       File
[yubal] |                     "/app/.venv/lib/python3.12/site-packages/yubal_api/api/app.p
[yubal] |                     y", line 115, in run_migrations
[yubal] |                         command.upgrade(alembic_cfg, "head")
[yubal] |                       File
[yubal] |                     "/app/.venv/lib/python3.12/site-packages/alembic/command.py"
[yubal] |                     , line 483, in upgrade
[yubal] |                         script.run_env()
[yubal] |                       File
[yubal] |                     "/app/.venv/lib/python3.12/site-packages/alembic/script/base
[yubal] |                     .py", line 545, in run_env
[yubal] |                         util.load_python_file(self.dir, "env.py")
[yubal] |                       File
[yubal] |                     "/app/.venv/lib/python3.12/site-packages/alembic/util/pyfile
[yubal] |                     s.py", line 116, in load_python_file
[yubal] |                         module = load_module_py(module_id, path)
[yubal] |                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[yubal] |                       File
[yubal] |                     "/app/.venv/lib/python3.12/site-packages/alembic/util/pyfile
[yubal] |                     s.py", line 136, in load_module_py
[yubal] |                         spec.loader.exec_module(module)  # type: ignore
[yubal] |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[yubal] |                       File "<frozen importlib._bootstrap_external>", line 999,
[yubal] |                     in exec_module
[yubal] |                       File "<frozen importlib._bootstrap>", line 488, in
[yubal] |                     _call_with_frames_removed
[yubal] |                       File
[yubal] |                     "/app/.venv/lib/python3.12/site-packages/yubal_api/migration
[yubal] |                     s/env.py", line 18, in <module>
[yubal] |                         settings.db_path.parent.mkdir(parents=True,
[yubal] |                     exist_ok=True)
[yubal] |                       File "/usr/local/lib/python3.12/pathlib.py", line 1311, in
[yubal] |                     mkdir
[yubal] |                         os.mkdir(self, mode)
[yubal] |                     PermissionError: [Errno 13] Permission denied:
[yubal] |                     '/app/config/yubal'
[yubal] |
[yubal] |            ERROR    uvicorn.error - Application startup failed. Exiting.

The user I am running as has an ID of 1000, the same is set in the compose file. The directory mounted to the container is owned by the Id 1000.

---

System Details

$ uname -a
Linux frost 6.17.11-200.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Dec  9 00:25:56 UTC 2025 x86_64 GNU/Linux

$ getenforce
Disabled

$ cat /etc/*release* | head -3
Fedora release 42 (Adams)
NAME="Fedora Linux"
VERSION="42 (Server Edition)"

$ podman --version
podman version 5.7.0

$ podman info --format '{{.Host.Security.Rootless}}'
true

Compose file

services:
  yubal:
    image: ghcr.io/guillevc/yubal:latest
    container_name: yubal
    environment:
      YUBAL_SCHEDULER_CRON: "0 0 * * *"
      YUBAL_DOWNLOAD_UGC: false
      YUBAL_TZ: UTC
    volumes:
      - /mnt/TV/Music:/app/data:Z
      - ./config:/app/config
    restart: unless-stopped

Note: I was on an older version and that was working file, I pulled the latest image and then it broke.

[TomErnst1972]

normally with docker you would do this: (use the equivalent for podman)

cd /wherever your docker-compose.yml is
chown -R 1000:1000 ./
docker compose up -d --force-recreate
docker compose logs -f

[guillevc]

Thanks for reporting and for the detailed system info!

This is caused by a recent change where the container switched from running as root to a non-root user (yubal, UID 1000). If your ./config directory was originally created by the older (root) container, it's owned by root:root, and the new container running as UID 1000 can't create subdirectories inside it.

To fix it, run on the host:

chown -R 1000:1000 ./config

Then restart the container. This should be a one-time fix after upgrading.

[prateeknischal]

The podman process seems to have this process listing,

(nix) [ghost@frost yubal]$ ps -eaf | grep yubal
ghost    3982983       1  0 15:02 ?        00:00:00 /usr/bin/conmon --api-version 1 -c 49094138268c42a3a829f9eb3150a2a0cfefe19b23f50bd813267a11208ed9a6 -u 49094138268c42a3a829f9eb3150a2a0cfefe19b23f50bd813267a11208ed9a6 -r /usr/bin/crun -b /home/ghost/.local/share/containers/storage/overlay-containers/49094138268c42a3a829f9eb3150a2a0cfefe19b23f50bd813267a11208ed9a6/userdata -p /run/user/1000/containers/overlay-containers/49094138268c42a3a829f9eb3150a2a0cfefe19b23f50bd813267a11208ed9a6/userdata/pidfile -n yubal --exit-dir /run/user/1000/libpod/tmp/exits --persist-dir /run/user/1000/libpod/tmp/persist/49094138268c42a3a829f9eb3150a2a0cfefe19b23f50bd813267a11208ed9a6 --full-attach -s -l journald --log-level warning --syslog --runtime-arg --log-format=json --runtime-arg --log --runtime-arg=/run/user/1000/containers/overlay-containers/49094138268c42a3a829f9eb3150a2a0cfefe19b23f50bd813267a11208ed9a6/userdata/oci-log --conmon-pidfile /run/user/1000/containers/overlay-containers/49094138268c42a3a829f9eb3150a2a0cfefe19b23f50bd813267a11208ed9a6/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/ghost/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1000/containers --exit-command-arg --log-level --exit-command-arg warning --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --network-config-dir --exit-command-arg  --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /home/ghost/.local/share/containers/storage/volumes --exit-command-arg --db-backend --exit-command-arg sqlite --exit-command-arg --transient-store=false --exit-command-arg --hooks-dir --exit-command-arg /usr/share/containers/oci/hooks.d --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --stopped-only --exit-command-arg 49094138268c42a3a829f9eb3150a2a0cfefe19b23f50bd813267a11208ed9a6
525287   3982985 3982983 98 15:02 ?        00:00:00 python -m yubal_api

The user isn't really UID 1000.

I tried moving to a+rwx permissions on the config folder and then the container started successfully. Hopefully this helps others!

[guillevc]

I will take a lookat this

[guillevc]

Will set up PUID and PGUID env variables to better support rootless Podman, which will get released in v0.8.0

[guillevc]

@prateeknischal In the meantime, you can work around this by adding --userns=keep-id to your Podman command:

podman run --userns=keep-id ...

Or in a compose file:

services:
  yubal:
    userns_mode: keep-id

This maps your host UID directly into the container, bypassing the namespace mismatch.