podman: Build with `--mount=type=bind` can't access the mounted folder
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
I’m trying to make my Dockerfile more compatible with podman and seeing an error when I mount the current directory with RUN --mount=type=bind. This works with docker. I couldn’t find much in the docs about this and the paramenters supported by bind.
With a Dockerfile with a step like this:
RUN --mount=type=bind,target=/tmp/files/ ls -la /tmp; cp -a /tmp/files/some_file /
(I’ve added the ls -la for debug)
Steps to reproduce the issue:
podman build -f Dockerfile .
Describe the results you received:
total 4
drwxr-xr-t. 3 root root 19 Aug 23 01:31 .
dr-xr-xr-x. 1 root root 61 Aug 23 01:31 ..
drwx------. 13 root root 4096 Aug 23 01:31 files
cp: cannot stat '/tmp/files/some_file': Permission denied
Describe the results you expected:
I wouldn’t expect any errors and that the file is copied to the root folder /
This is the output from the ls -la with docker, so maybe it’s mounted with the wrong permissions? But I’m assuming this runs as root so it should be able to access the directory anyway
#16 0.209 total 16
#16 0.209 drwxrwxrwt 1 root root 4096 Aug 23 01:43 .
#16 0.209 drwxr-xr-x 1 root root 4096 Aug 23 01:43 ..
#16 0.209 drwxr-xr-x 13 root root 4096 Aug 23 01:43 files
Additional information you deem important (e.g. issue happens only occasionally):
Output of podman version:
❯ podman version
Client: Podman Engine
Version: 4.2.0
API Version: 4.2.0
Go Version: go1.18.5
Built: Wed Aug 10 13:46:05 2022
OS/Arch: darwin/arm64
Server: Podman Engine
Version: 4.2.0
API Version: 4.2.0
Go Version: go1.18.4
Built: Thu Aug 11 07:43:11 2022
OS/Arch: linux/arm64
Output of podman info:
❯ podman info
host:
arch: arm64
buildahVersion: 1.27.0
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.0-2.fc36.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.0, commit: '
cpuUtilization:
idlePercent: 96.82
systemPercent: 1.85
userPercent: 1.33
cpus: 1
distribution:
distribution: fedora
variant: coreos
version: "36"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 1000000
uidmap:
- container_id: 0
host_id: 502
size: 1
- container_id: 1
host_id: 100000
size: 1000000
kernel: 5.18.18-200.fc36.aarch64
linkmode: dynamic
logDriver: journald
memFree: 1124417536
memTotal: 2051829760
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.5-1.fc36.aarch64
path: /usr/bin/crun
version: |-
crun version 1.5
commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
remoteSocket:
exists: true
path: /run/user/502/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-0.2.beta.0.fc36.aarch64
version: |-
slirp4netns version 1.2.0-beta.0
commit: 477db14a24ff1a3de3a705e51ca2c4c1fe3dda64
libslirp: 4.6.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.3
swapFree: 0
swapTotal: 0
uptime: 0h 21m 25.00s
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /var/home/core/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /var/home/core/.local/share/containers/storage
graphRootAllocated: 106825756672
graphRootUsed: 2427838464
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 11
runRoot: /run/user/502/containers
volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
APIVersion: 4.2.0
Built: 1660228991
BuiltTime: Thu Aug 11 07:43:11 2022
GitCommit: ""
GoVersion: go1.18.4
Os: linux
OsArch: linux/arm64
Version: 4.2.0
Package info (e.g. output of rpm -q podman or apt list podman):
❯ brew info podman
podman: stable 4.2.0 (bottled), HEAD
Tool for managing OCI containers and pods
https://podman.io/
/opt/homebrew/Cellar/podman/4.2.0 (178 files, 48MB) *
Poured from bottle on 2022-08-11 at 18:04:03
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/podman.rb
License: Apache-2.0
==> Dependencies
Build: go-md2man ✘, go@1.18 ✘
Required: qemu ✔
==> Options
--HEAD
Install HEAD version
==> Caveats
zsh completions have been installed to:
/opt/homebrew/share/zsh/site-functions
==> Analytics
install: 20,983 (30 days), 57,715 (90 days), 194,460 (365 days)
install-on-request: 20,594 (30 days), 56,984 (90 days), 193,671 (365 days)
build-error: 40 (30 days)
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)
Yes
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 22 (8 by maintainers)
Feel free to continue the conversation here.
If the ,z option is not recognized by Docker then this is a bug in Docker. Docker has SELinux support and without a relabel, the source directory will not be allowed to be used within the VM. I would check that Docker is running with --selinux-enabled and then you should see a failure.
SELinux separation has prevented many container escapes, and is the best tool for protecting the file system from container escape.
Since this is working correctly in Podman, I am going to close this issue.
Ideally, I would like to find something that works seamlessly across
dockerandpodmanin every scenario (not just on macOS). Do you think there’s any other way to make the mount work? 🤔