'Permission denied' on volumes in Mac OS with podman machine

[ReeSilva]

Issue Description

When running dev cointaner on Visual Studio Code, the volume mounted on the container get permission denied when trying to write, even with --userns=keep-id. The user ID on Mac OS (502) is the same as the user core on the VM.

Without --userns=keep-id the volume is mounted with owner root. Using --userns=keep-id the volume is mounted with the user core. This happens because my user ID on Mac (502) Is the same as the user core on the VM where podman runs.

The same error happens if running from command line the same way vscode runs the container.

 ╰─λ podman version
Client:       Podman Engine
Version:      4.4.1
API Version:  4.4.1
Go Version:   go1.19.5
Git Commit:   34e8f3933242f2e566bbbbf343cf69b7d506c1cf
Built:        Wed Feb  8 16:03:18 2023
OS/Arch:      darwin/amd64

Server:       Podman Engine
Version:      4.3.1
API Version:  4.3.1
Go Version:   go1.19.2
Built:        Fri Nov 11 12:01:27 2022
OS/Arch:      linux/amd64

 ╰─λ podman machine info
Host:
  Arch: amd64
  CurrentMachine: podman-machine-default
  DefaultMachine: podman-machine-default
  EventsDir: /var/folders/zw/5s5bnkfj4tn19pnwm22mvw4w0000gp/T/podman-run--1/podman
  MachineConfigDir: /Users/renatosilva/.config/containers/podman/machine/qemu
  MachineImageDir: /Users/renatosilva/.local/share/containers/podman/machine/qemu
  MachineState: Running
  NumberOfMachines: 1
  OS: darwin
  VMType: qemu
Version:
  APIVersion: 4.4.1
  Built: 1675882998
  BuiltTime: Wed Feb  8 16:03:18 2023
  GitCommit: 34e8f3933242f2e566bbbbf343cf69b7d506c1cf
  GoVersion: go1.19.5
  Os: darwin
  OsArch: darwin/amd64
  Version: 4.4.1

 ╰─λ podman info
host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.5-1.fc37.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.5, commit: '
  cpuUtilization:
    idlePercent: 86.95
    systemPercent: 5.57
    userPercent: 7.48
  cpus: 4
  distribution:
    distribution: fedora
    variant: coreos
    version: "37"
  eventLogger: journald
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 1000000
    uidmap:
    - container_id: 0
      host_id: 502
      size: 1
    - container_id: 1
      host_id: 100000
      size: 1000000
  kernel: 6.1.9-200.fc37.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 3205111808
  memTotal: 8329478144
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.7.2-3.fc37.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.7.2
      commit: 0356bf4aff9a133d655dc13b1d9ac9424706cac4
      rundir: /run/user/502/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/502/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-8.fc37.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 1h 14m 29.00s (Approximately 0.04 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 1
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphRootAllocated: 106769133568
  graphRootUsed: 12393795584
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 177
  runRoot: /run/user/502/containers
  transientStore: false
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 1668178887
  BuiltTime: Fri Nov 11 12:01:27 2022
  GitCommit: ""
  GoVersion: go1.19.2
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Steps to reproduce the issue

Steps to reproduce the issue

1. Run a container mapping a folder from Mac to the container, setting the user 1000 (the default vscode user for vscode containers) and using --userns=keep-id: podman container run -v (pwd)/golive:/workspace/golive --rm -it --user=1000 --userns=keep-id golang bash
2. Go to the workspace folder: cd /workspace/golive
3. Try to create a new file touch test

Describe the results you received

touch: cannot touch 'test': Permission denied

Describe the results you expected

File should be created.

podman info output

host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.5-1.fc37.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.5, commit: '
  cpuUtilization:
    idlePercent: 88.15
    systemPercent: 5.34
    userPercent: 6.5
  cpus: 4
  distribution:
    distribution: fedora
    variant: coreos
    version: "37"
  eventLogger: journald
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 1000000
    uidmap:
    - container_id: 0
      host_id: 502
      size: 1
    - container_id: 1
      host_id: 100000
      size: 1000000
  kernel: 6.1.9-200.fc37.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 2659549184
  memTotal: 8329478144
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.7.2-3.fc37.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.7.2
      commit: 0356bf4aff9a133d655dc13b1d9ac9424706cac4
      rundir: /run/user/502/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/502/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-8.fc37.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 0
  swapTotal: 0
  uptime: 1h 25m 23.00s (Approximately 0.04 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 1
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphRootAllocated: 106769133568
  graphRootUsed: 13013000192
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 178
  runRoot: /run/user/502/containers
  transientStore: false
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 1668178887
  BuiltTime: Fri Nov 11 12:01:27 2022
  GitCommit: ""
  GoVersion: go1.19.2
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[rishabhj1717]

I am facing a very similar issue on my own system. This has started occuring only from the past few days Could someone help here?

[binaryfields]

I also ran into this issue after upgrading to podman 4.4.1 on M1 Mac.

Host:
  Arch: arm64
  CurrentMachine: podman-machine-default
  DefaultMachine: podman-machine-default
  EventsDir: /var/folders/d6/qy3nc_9s10794kl8t8z0j6kw0000gn/T/podman-run--1/podman
  MachineConfigDir: /Users/one/.config/containers/podman/machine/qemu
  MachineImageDir: /Users/one/.local/share/containers/podman/machine/qemu
  MachineState: Running
  NumberOfMachines: 1
  OS: darwin
  VMType: qemu
Version:
  APIVersion: 4.4.2
  Built: 1677167961
  BuiltTime: Thu Feb 23 10:59:21 2023
  GitCommit: 74afe26887f814d1c39925a1624851ef3590e79c
  GoVersion: go1.20.1
  Os: darwin
  OsArch: darwin/arm64
  Version: 4.4.2

I'm running docker.io/elasticsearch:7.17.9 container which tries to 'chroot --userspec=1000:0 /' and fails with 'chroot: cannot change root directory to '/': Operation not permitted'.

[binaryfields]

In my case, adding SYS_CHROOT capability fixed it. It looks like podman changed default container capabilities in 4.4.

[rhatdan]

Yes.
See https://github.com/containers/podman/releases/tag/v4.4.2

Not sure the other reporters are complaining about chroot.

[rishabhj1717]

It fails for me with the error 'chroot: cannot change root directory to '/': Operation not permitted' I'm running a docker.io/elasticsearch:7.17.9 container. For the moment I have used privileged: true as a workaround.

[rhatdan]

--cap-add sys_chroot fixes this issue. But that is not what @ReeSilva was reporting above.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

Since we have heard no further input closing.

[ReeSilva]

@rhatdan what kind of input do you need? The problem still exists :/ Can we reopen the issue?

[rhatdan]

Did --cap-add CAP_CHROOT work for you?

[fc7]

I can reproduce the issue reported by @ReeSilva on a Mac M1 with podman client 4.4.4 and podman server 4.4.2. Adding --cap-add CAP_SYS_CHROOT did not help.

[aparcar]

I'm seeing the same issue and would say that chroot is unrelated.

[ReeSilva]

Nope, chroot is unrelated, as pointed out in some replies

[okash1n]

I have the same issue on M2 Mac and vscode. Adding --cap-add CAP_SYS_CHROOT did not help too.

[Luap99]

If you use --userns=keep-id and --user for a different user then this cannot work, only one user can have access unless your files have write permissions for all users.
If you want to use a different user (e.g. 1000) then use this --userns=keep-id:uid=1000,gid=1000, this maps the host uid the the container uid 1000.

[ReeSilva]

@Luap99 Outstanding. Saw this tip on the troubleshooting when opened the issue but neither with this was working, maybe another config was wrong. Really really thanks for that. I'll test it later on Windows and Linux as well, but probably will work as well.

[x2x4com]

Intel macos 12.6.2 add --userns=keep-id:uid=${UID} works