Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mounted filesystems not honoring group permissions from host #68

Open
wholtz opened this issue May 31, 2023 · 3 comments
Open

Mounted filesystems not honoring group permissions from host #68

wholtz opened this issue May 31, 2023 · 3 comments

Comments

@wholtz
Copy link

wholtz commented May 31, 2023 

wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ groups
wjholtz genome m342 m1541 openmsi gentech gtrnd metatlas c_pasteur m2650 spin-restricted rancher2_user c_msdata
wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ ls -ld rna-count
drwxr-s--- 9 dapeters m342 16384 Apr 13 10:14 rna-count
wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ ls -1 rna-count/ | wc -l
6
wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ podman-hpc run --rm -it --volume $(pwd):$(pwd) -w $(pwd) -u 0:0 docker.io/library/debian:bullseye-slim ls rna-count
ls: cannot open directory 'rna-count': Permission denied
wjholtz@login21:/global/cfs/cdirs/m342/USA/shared-repos$ podman-hpc run --rm -it --volume $(pwd):$(pwd) -w $(pwd) docker.io/library/debian:bullseye-slim ls rna-count
ls: cannot open directory 'rna-count': Permission denied

I expected that my host group membership would determine what bind-mounted files I can access from within the container. But it appears that files need to be accessible on the host by my host uid or everyone.
@nathanweeks
Copy link

Have you tried adding an option like --userns=keep-id:gid=$(stat -c '%g' .) to map the user account in the container to the gid of the $(pwd) directory (or just hard-coding the gid instead of $(stat -c '%g' .))?

@danfulton
Copy link
Member

Have you tried adding an option like --userns=keep-id:gid=$(stat -c '%g' .) to map the user account in the container to the gid of the $(pwd) directory (or just hard-coding the gid instead of $(stat -c '%g' .))?

Currently, this will not work. The ability to map file system groups into rootless user namespaces is dictated by the /etc/subgid configuration file, and this affects all container runtimes, not just podman-hpc. The --userns=keep-id setting specifies a specific mapping, but will only work when auxiliary groups are present in the /etc/subgid file.

We are currently looking at adding these entries to the config in the near future.

@nathanweeks
Copy link

Have you tried adding an option like --userns=keep-id:gid=$(stat -c '%g' .) to map the user account in the container to the gid of the $(pwd) directory (or just hard-coding the gid instead of $(stat -c '%g' .))?

Currently, this will not work. The ability to map file system groups into rootless user namespaces is dictated by the /etc/subgid configuration file, and this affects all container runtimes, not just podman-hpc. The --userns=keep-id setting specifies a specific mapping, but will only work when auxiliary groups are present in the /etc/subgid file.

We are currently looking at adding these entries to the config in the near future.

OK, I think I understand why I mistakenly thought --userns=keep-id:gid=$(stat -c '%g' .) would work: I was in a directory that was readable by "everyone". However, its parent directory had more-restrictive permissions, and not everyone could traverse through the parent directory---which I suppose could be a reasonable workaround for this issue in some cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nathanweeks @danfulton @wholtz