podman: Wrong ownership of volume created with `podman volume create`

/kind bug

Description

Volume created with podman volume create is owned by root:root in podman 3, despite being mount to a directory owned by quakus:quarkus. The issue is not present in podman 2.

Steps to reproduce the issue:

podman volume create test-volume
podman run --rm --entrypoint /bin/bash -v test-volume:/project quay.io/quarkus/ubi-quarkus-native-image:21.0.0-java11 -c "ls -la"

Describe the results you received:

total 0
drwxr-xr-x.  2 root root 6 Mar  3 22:51 .
dr-xr-xr-x. 19 root root 6 Mar  3 22:51 ..

Describe the results you expected:

total 0
drwxr-xr-x.  2 quarkus quarkus 6 Mar  3 22:52 .
dr-xr-xr-x. 19 root    root    6 Mar  3 22:52 ..

Additional information you deem important (e.g. issue happens only occasionally):

This works as expected in podman 2.

It also works in podman 3 if I create the volume implicitly through podman run or podman create, e.g.:

$ podman create -v test-volume:/project quay.io/quarkus/ubi-quarkus-native-image:21.0.0-java11
$ podman run --rm --entrypoint /bin/bash -v test-volume:/project registry.access.redhat.com/quarkus/mandrel-20-rhel8:latest -c "ls -la"
total 0
drwxr-xr-x.  2 quarkus quarkus 6 Mar  3 23:08 .
dr-xr-xr-x. 19 root    root    6 Mar  3 23:08 ..

Output of podman version:

Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.15.8
Built:        Fri Feb 19 18:56:17 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.19.4
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.26-1.fc33.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.26, commit: 777074ecdb5e883b9bec233f3630c5e7fa37d521'
  cpus: 8
  distribution:
    distribution: fedora
    version: "33"
  eventLogger: journald
  hostname: slimhat
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.10.19-200.fc33.x86_64
  linkmode: dynamic
  memFree: 15687917568
  memTotal: 33436680192
  ociRuntime:
    name: crun
    package: crun-0.18-1.fc33.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.18
      commit: 808420efe3dc2b44d6db9f1a3fac8361dde42a95
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.8-1.fc33.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 12884893696
  swapTotal: 12884893696
  uptime: 9h 52m 54.98s (Approximately 0.38 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/zakkak/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.4.0-1.fc33.x86_64
      Version: |-
        fusermount3 version: 3.9.3
        fuse-overlayfs: version 1.4
        FUSE library version 3.9.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/zakkak/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 30
  runRoot: /run/user/1000/containers
  volumePath: /home/zakkak/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1613753777
  BuiltTime: Fri Feb 19 18:56:17 2021
  GitCommit: ""
  GoVersion: go1.15.8
  OsArch: linux/amd64
  Version: 3.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.0.1-1.fc33.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 2
Comments: 16 (16 by maintainers)

Commits related to this issue

Ensure manually-created volumes have correct ownership As part of a fix for an earlier bug (#5698) we added the ability for Podman to chown volumes to correctly match the user running in the containe... — committed to mheon/libpod by mheon 3 years ago
Ensure manually-created volumes have correct ownership As part of a fix for an earlier bug (#5698) we added the ability for Podman to chown volumes to correctly match the user running in the containe... — committed to mheon/libpod by mheon 3 years ago
Ensure manually-created volumes have correct ownership As part of a fix for an earlier bug (#5698) we added the ability for Podman to chown volumes to correctly match the user running in the containe... — committed to mheon/libpod by mheon 3 years ago
Ensure manually-created volumes have correct ownership As part of a fix for an earlier bug (#5698) we added the ability for Podman to chown volumes to correctly match the user running in the containe... — committed to mheon/libpod by mheon 3 years ago
Ensure manually-created volumes have correct ownership As part of a fix for an earlier bug (#5698) we added the ability for Podman to chown volumes to correctly match the user running in the containe... — committed to jmguzik/podman by mheon 3 years ago

Most upvoted comments

Hey @EduardoVega and @mheon thanks for the replys and taking the time to clear things up for me. You are right it does work!

I pointed out in my OP to this issue that the entrypoint in the official elasticsearch container does run as the root user but then drops to run as elasticsearch:root if it is starting up elasticsearch:

Will your PR fix this issue too? The reason why I ask is becuase the Elasticsearch container runs as root but uses the entry point to run as the elasticsearch user https://github.com/elastic/elasticsearch/blob/7.5/distribution/docker/src/docker/bin/docker-entrypoint.sh so I think with the changes in Podman 3 this container will still be broken compared to it’s old behavior in Podman 2.

I am able to get elasticsearch running in my systemd unit by adding --user elasticsearch:root and using this as the volume mount --volume /opt/elasticsearch/data/elasticsearch:/usr/share/elasticsearch/data:U,Z.

jdoss on Apr 9, 2021

https://github.com/containers/podman/pull/9768 should fix

mheon on Mar 19, 2021

@jdoss I just tested with my PR and it looks as though it’s working properly - the data directory is owned by elasticsearch root

mheon on Mar 24, 2021

I’ll take a look next week.

mheon on Mar 12, 2021