podman: 'Permission denied' on volumes in Mac OS with podman machine
Issue Description
When running dev cointaner on Visual Studio Code, the volume mounted on the container get permission denied when trying to write, even with --userns=keep-id. The user ID on Mac OS (502) is the same as the user core on the VM.
Without --userns=keep-id the volume is mounted with owner root. Using --userns=keep-id the volume is mounted with the user core. This happens because my user ID on Mac (502) Is the same as the user core on the VM where podman runs.
The same error happens if running from command line the same way vscode runs the container.
╰─λ podman version
Client: Podman Engine
Version: 4.4.1
API Version: 4.4.1
Go Version: go1.19.5
Git Commit: 34e8f3933242f2e566bbbbf343cf69b7d506c1cf
Built: Wed Feb 8 16:03:18 2023
OS/Arch: darwin/amd64
Server: Podman Engine
Version: 4.3.1
API Version: 4.3.1
Go Version: go1.19.2
Built: Fri Nov 11 12:01:27 2022
OS/Arch: linux/amd64
╰─λ podman machine info
Host:
Arch: amd64
CurrentMachine: podman-machine-default
DefaultMachine: podman-machine-default
EventsDir: /var/folders/zw/5s5bnkfj4tn19pnwm22mvw4w0000gp/T/podman-run--1/podman
MachineConfigDir: /Users/renatosilva/.config/containers/podman/machine/qemu
MachineImageDir: /Users/renatosilva/.local/share/containers/podman/machine/qemu
MachineState: Running
NumberOfMachines: 1
OS: darwin
VMType: qemu
Version:
APIVersion: 4.4.1
Built: 1675882998
BuiltTime: Wed Feb 8 16:03:18 2023
GitCommit: 34e8f3933242f2e566bbbbf343cf69b7d506c1cf
GoVersion: go1.19.5
Os: darwin
OsArch: darwin/amd64
Version: 4.4.1
╰─λ podman info
host:
arch: amd64
buildahVersion: 1.28.0
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.5-1.fc37.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.5, commit: '
cpuUtilization:
idlePercent: 86.95
systemPercent: 5.57
userPercent: 7.48
cpus: 4
distribution:
distribution: fedora
variant: coreos
version: "37"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 1000000
uidmap:
- container_id: 0
host_id: 502
size: 1
- container_id: 1
host_id: 100000
size: 1000000
kernel: 6.1.9-200.fc37.x86_64
linkmode: dynamic
logDriver: journald
memFree: 3205111808
memTotal: 8329478144
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.7.2-3.fc37.x86_64
path: /usr/bin/crun
version: |-
crun version 1.7.2
commit: 0356bf4aff9a133d655dc13b1d9ac9424706cac4
rundir: /run/user/502/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
remoteSocket:
exists: true
path: /run/user/502/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-8.fc37.x86_64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 0
swapTotal: 0
uptime: 1h 14m 29.00s (Approximately 0.04 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /var/home/core/.config/containers/storage.conf
containerStore:
number: 2
paused: 0
running: 1
stopped: 1
graphDriverName: overlay
graphOptions: {}
graphRoot: /var/home/core/.local/share/containers/storage
graphRootAllocated: 106769133568
graphRootUsed: 12393795584
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 177
runRoot: /run/user/502/containers
transientStore: false
volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
APIVersion: 4.3.1
Built: 1668178887
BuiltTime: Fri Nov 11 12:01:27 2022
GitCommit: ""
GoVersion: go1.19.2
Os: linux
OsArch: linux/amd64
Version: 4.3.1
Steps to reproduce the issue
Steps to reproduce the issue
- Run a container mapping a folder from Mac to the container, setting the user 1000 (the default vscode user for vscode containers) and using
--userns=keep-id:podman container run -v (pwd)/golive:/workspace/golive --rm -it --user=1000 --userns=keep-id golang bash - Go to the workspace folder:
cd /workspace/golive - Try to create a new file
touch test
Describe the results you received
touch: cannot touch 'test': Permission denied
Describe the results you expected
File should be created.
podman info output
host:
arch: amd64
buildahVersion: 1.28.0
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.5-1.fc37.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.5, commit: '
cpuUtilization:
idlePercent: 88.15
systemPercent: 5.34
userPercent: 6.5
cpus: 4
distribution:
distribution: fedora
variant: coreos
version: "37"
eventLogger: journald
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 1000000
uidmap:
- container_id: 0
host_id: 502
size: 1
- container_id: 1
host_id: 100000
size: 1000000
kernel: 6.1.9-200.fc37.x86_64
linkmode: dynamic
logDriver: journald
memFree: 2659549184
memTotal: 8329478144
networkBackend: netavark
ociRuntime:
name: crun
package: crun-1.7.2-3.fc37.x86_64
path: /usr/bin/crun
version: |-
crun version 1.7.2
commit: 0356bf4aff9a133d655dc13b1d9ac9424706cac4
rundir: /run/user/502/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
remoteSocket:
exists: true
path: /run/user/502/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-8.fc37.x86_64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 0
swapTotal: 0
uptime: 1h 25m 23.00s (Approximately 0.04 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /var/home/core/.config/containers/storage.conf
containerStore:
number: 2
paused: 0
running: 1
stopped: 1
graphDriverName: overlay
graphOptions: {}
graphRoot: /var/home/core/.local/share/containers/storage
graphRootAllocated: 106769133568
graphRootUsed: 13013000192
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 178
runRoot: /run/user/502/containers
transientStore: false
volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
APIVersion: 4.3.1
Built: 1668178887
BuiltTime: Fri Nov 11 12:01:27 2022
GitCommit: ""
GoVersion: go1.19.2
Os: linux
OsArch: linux/amd64
Version: 4.3.1
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Additional environment details
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 17 (5 by maintainers)
If you use
--userns=keep-idand--userfor a different user then this cannot work, only one user can have access unless your files have write permissions for all users. If you want to use a different user (e.g. 1000) then use this--userns=keep-id:uid=1000,gid=1000, this maps the host uid the the container uid 1000.