Volumes

[PedroRegisPOAR]

Abstratc

It is an issue devoted to collect links/documentation about "volumes".

• since 2013: Add ability to mount volume as user other than root moby/moby#2259 (comment)
• About the podman flag --uidmap https://stackoverflow.com/a/65960072
• How to debug issues with volumes mounted on rootless containers
• Tips and Tricks of the Docker Captains, t=1944s
• Volumes and rootless Podman

Details

WIP:

podman \
run \
--interactive=true \
--tty=true \
--user=podman \
--volume=$(pwd):/home/podman/data:U \
quay.io/podman/stable \
bash \
-c \
'cat /etc/passwd && ls -al $HOME/data'

podman run --interactive=true --tty=true --user=podman --volume=$(pwd):/home/podman/data:U quay.io/podman/stable bash -c 'cat /etc/passwd && ls -al $HOME/data'
podman run --interactive=true --tty=true --user=podman --volume=$(pwd):/home/podman/data:U quay.io/podman/stable bash -c 'cat /etc/passwd && ls -al $HOME/data'

echo 'Lorem ipsum' > log.txt \
&& stat log.txt \
&& podman run -it --rm -u "$(id -u)":"$(id -g)" -v "$(pwd)":/data \
   docker.io/library/alpine sh -c 'ls -al / && ! touch /proc 2> /dev/null && touch /data/log.txt' \
&& echo $?

stat log.txt
touch log.txt


quay.io/podman/stable


sudo su -c ''

sudo addgroup abcgroup --gid 4455  \
&& sudo adduser -q \
     --gecos '"An unpriviliged user with an group"' \
     --disabled-password \
     --ingroup abcgroup \
     --uid 3322 \
     abcuser


sudo su -c "echo 'export PATH=/home/abcuser/bin:/usr/local/bin:/usr/local/games:/snap/bin' >> /home/abcuser/.bashrc"

sudo su -c 'exec su abcuser'


https://unix.stackexchange.com/a/595152

Refs.:
- https://unix.stackexchange.com/a/117943
- https://wiki.alpinelinux.org/wiki/Setting_up_a_new_user

echo 'Lorem ipsum' > log.txt \
&& stat log.txt \
&& podman run -it --rm -u "$(id -u)":"$(id -g)" -v "$(pwd)":/data \
   docker.io/library/alpine sh -c 'ls -al / && ! touch /proc 2> /dev/null && touch /data/log.txt' \
&& echo $?

stat log.txt
touch log.txt


mkdir fbar
podman unshare chown 123:123 ./fbar
podman run -it --volume fbar:/dest --user 123:123 --name busybox busybox


echo 'Lorem ipsum' > log.txt \
&& stat log.txt \
&& podman \
     run \
     -it \
     --rm \
     -u "$(id -u)":"$(id -g)" \
     -v "$(pwd)":/data \
   docker.io/library/alpine sh -c 'ls -al / && ! touch /proc 2> /dev/null && touch /data/log.txt' \
&& echo $?

mkdir dir1
echo hello > dir1/file.txt
chmod 700 dir1/file.txt
subuidSize=$(( $(podman info --format "{{ range .Host.IDMappings.UIDMap }}+{{.Size }}{{end }}" ) - 1 ))
subgidSize=$(( $(podman info --format "{{ range .Host.IDMappings.GIDMap }}+{{.Size }}{{end }}" ) - 1 ))
UID="$(id -u)"
GID="$(id -g)"
podman \
run \
--rm \
-v ./dir1:/dir1 \
--user "${UID}":"${GID}" \
--uidmap "${UID}":0:1 \
--uidmap 0:1:"${UID}" \
--uidmap $(("${UID}"+1)):$(("${UID}"+1)):$(($subuidSize-"${UID}")) \
--gidmap "${GID}":0:1 \
--gidmap 0:1:"${GID}" \
--gidmap $(("${GID}"+1)):$(("${GID}"+1)):$(($subgidSize-"${GID}")) \
docker.io/library/alpine \
cat \
/dir1/file.txt
stat dir1/file.txt

podman \
run \
--rm \
-it \
-v ./dir1:/dir1 \
--user "${UID}":"${GID}" \
--uidmap "${UID}":0:1 \
--uidmap 0:1:"${UID}" \
--uidmap $(("${UID}"+1)):$(("${UID}"+1)):$(($subuidSize-"${UID}")) \
--gidmap "${GID}":0:1 \
--gidmap 0:1:"${GID}" \
--gidmap $(("${GID}"+1)):$(("${GID}"+1)):$(($subgidSize-"${GID}")) \
docker.io/library/alpine

[PedroRegisPOAR]

Using an Alpine OCI image ran with podman

Creating an environment to play inside:

cat > Containerfile << 'EOF'
FROM alpine:3.16.1
RUN apk add --no-cache \
     ca-certificates \
     curl \
     shadow \
     tar \
     xz \
 && mkdir -m 0777 /nix
EOF

podman \
build \
--file=Containerfile \
--tag=unprivileged-alpine3161 .

VOLUME_DIR=code
rm -frv "$VOLUME_DIR"; test -d "$VOLUME_DIR" || mkdir -pv "$VOLUME_DIR"
echo

nix run nixpkgs#xorg.xhost -- + 

podman \
run \
--annotation run.oci.keep_original_groups=1 \
--device=/dev/fuse:rw \
--device=/dev/kvm:rw \
--env="DISPLAY=${DISPLAY:-:0.0}" \
--env="HOME=${HOME:-:/home/someuser}" \
--env="PATH=/home/$USER/.nix-profile/bin:/home/$USER/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
--env="TMPDIR=${HOME}" \
--env="USER=${USER:-:someuser}" \
--group-add=keep-groups \
--hostname=alpine-container \
--interactive=true \
--name=conteiner-unprivileged-alpine \
--privileged=true \
--tty=true \
--userns=keep-id \
--rm=true \
--volume="$(pwd)"/"$VOLUME_DIR":/home/"${USER}":U \
--volume=/tmp/.X11-unix:/tmp/.X11-unix:ro \
--workdir=/home/"${USER}" \
localhost/unprivileged-alpine3161:latest \
sh \
-c \
'
id
echo
 
groups
echo

echo abcdefg > foo.txt
stat -c %u .
stat -c %u /home/"${USER}"
' \
&& stat -c %u "$VOLUME_DIR"/foo.txt

VOLUME_DIR=data
rm -frv "$VOLUME_DIR"; test -d "$VOLUME_DIR" || mkdir -pv "$VOLUME_DIR"
echo

# nix run nixpkgs#xorg.xhost -- + 

podman \
run \
--annotation run.oci.keep_original_groups=1 \
--device=/dev/fuse:rw \
--device=/dev/kvm:rw \
--env="DISPLAY=${DISPLAY:-:0.0}" \
--env="HOME=${HOME:-:/home/someuser}" \
--env="PATH=/home/$USER/.nix-profile/bin:/home/$USER/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
--env="TMPDIR=${HOME}" \
--env="USER=${USER:-:someuser}" \
--group-add=keep-groups \
--hostname=alpine-container \
--interactive=true \
--name=conteiner-unprivileged-alpine \
--privileged=true \
--tty=true \
--userns=keep-id \
--rm=true \
--volume="$(pwd)"/"$VOLUME_DIR":/home/"${USER}":U \
--volume=/tmp/.X11-unix:/tmp/.X11-unix:ro \
--workdir=/home/"${USER}" \
localhost/unprivileged-alpine3161:latest \
sh \
-c \
'
id
echo
 
groups
echo

echo abcdefg > foo.txt
stat -c %u .
stat -c %u /home/"${USER}"
' \
&& stat -c %u "$VOLUME_DIR"/foo.txt

'! [ "$(stat -c %u .)" = 0 ]; echo "$?"'

podman \
exec \
--interactive=true \
--tty=true \
--user=0 \
conteiner-alpine \
sh<<COMMANDS
apk add --no-cache \
     ca-certificates \
     curl \
     shadow \
     tar \
     xz \
&& mkdir /nix && chmod 1777 /nix
COMMANDS

podman \
exec \
--interactive=true \
--tty=false \
--user=0 \
conteiner-alpine \
sh<<COMMANDS
ls -al /nix
mkdir -m 777 /nix
COMMANDS