Named volume incorrectly mapped with any userns option but ""

[mfontana-elem]

Issue Description

I am running rootless podman. If I run with any option but "" for userns then, whenever I try to mount a volume on a rootless image at a mount point created during build, the ownership of the directory get corrupted. In particular, I see UID=GID=999.

Steps to reproduce the issue

Steps to reproduce the issue

1. Make a minimal Dockerfile that creates a non-root user and directory inside his $HOME

FROM alpine AS test-image

RUN adduser -D test-user

USER test-user

RUN mkdir /home/test-user/test-dir

CMD [ "/bin/sh" ]

2. Create an image from it

$ podman build -t test-image .

3. Run the container mounting a named volume and see its ownership

$ podman run --rm -it -v test-volume:/home/test-user/test-dir test-image ls -ln /home/test-user
total 4
drwxr-sr-x    2 1000     1000          4096 Jul 19 18:31 test-dir

4. Re-run but using any userns option but uid=999,gid=999, and get

$ podman volume rm test-volume && podman run --rm -it --userns=keep-id -v test-volume:/home/test-user/test-dir test-image ls -ln /home/test-user
total 4
drwxr-sr-x    2 999     999          4096 Jul 19 18:31 test-dir

Describe the results you received

I get ownership 999 for the volume's UID.

Describe the results you expected

I would expect to get 1000 for the volume's UID.

podman info output

host:
  arch: amd64
  buildahVersion: 1.37.0-dev
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 87.42
    systemPercent: 2.51
    userPercent: 10.07
  cpus: 8
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: workstation
    version: "40"
  eventLogger: journald
  freeLocks: 2038
  hostname: someuser-laptop
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.9.6-200.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 678354944
  memTotal: 16442929152
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.11.0-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.11.0
    package: netavark-1.11.0-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.11.0
  ociRuntime:
    name: crun
    package: crun-1.15-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.15
      commit: e6eacaf4034e84185fd8780ac9262bbf57082278
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240624.g1ee2eca-1.fc40.x86_64
    version: |
      pasta 0^20240624.g1ee2eca-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-2.fc40.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 9933959168
  swapTotal: 21474828288
  uptime: 435h 23m 40.00s (Approximately 18.12 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /home/someuser/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/someuser/.local/share/containers/storage
  graphRootAllocated: 314163765248
  graphRootUsed: 187244351488
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 106
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/someuser/.local/share/containers/storage/volumes
version:
  APIVersion: 5.2.0-dev-5e47444a9
  Built: 1721347200
  BuiltTime: Fri Jul 19 02:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.5
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.0-dev-5e47444a9

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

I still get confused about ns mapping, as you might realize. But I would think this is not the expected behavior, otherwise it would be impossible (or I cannot see how it would be done) to have both bind mounts and volume mounts, in the case that the volume mount overrides something previously written during build, for the same container.

[mheon]

I can't replicate on my system - UID 1000 for both volumes, which is what I would expect. Is there something unusual about your environment, or your Podman package (I note you're using a -dev development branch build

[mfontana-elem]

Is there something unusual about your environment, or your Podman package (I note you're using a -dev development branch build

Not really. I installed the latest version from a COPR for quick retest, but I originally stumbled into the issue (and downgraded after reporting) on a vanilla Fedora 40 installation from repos (upgraded from a previous Fedora 40 installation).

One thing I forgot to mention is that the problem is gone if I don't create (nor declare a VOLUME) in the Dockerfile.

Is there anything you would like me to try? I could try to replicate at home using a fresh installation of Fedora 41 (or even a bootable image).

[mfontana-elem]

I checked in a fresh Fedora 40 installation and the problem persists. If I mount another volume whose mountpoint was not created during build, it works as expected.

$ podman volume rm test-volume test-volume2 && podman run --rm -it --userns=keep-id -v test-volume:/home/test-user/ -v test-volume2:/home/test-user/test-dir2 test-image ls -ln /home/test-user
drwxr-sr-x    2  999      999          4096 Jul 19 18:31 test-dir
drwxr-sr-x    2 1000     1000          4096 Jul 19 18:31 test-dir2

[mheon]

What is the UID of the user running Podman?

[mfontana-elem]

UID=GID=1000 the only non-root, non-service user in the system.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[mmguero]

Just stumbled across this, same thing happening to me. Trying to run via podman compose with userns_mode: keep-id. Only the VOLUME-declared paths have 999 ownership.

[rhatdan]

podman compose either executes podman-compose or docker compose.

Which one are you using? If podman-compose, please open the issue there.

If you can get this issue to happen with standard podman or podman-remote that would help us diagnose the issue much easier.

[mmguero]

>>>> Executing external compose provider "/usr/libexec/docker/cli-plugins/docker-compose". Please refer to the documentation for details. <<<<

So I'm using podman compose with the docker compose plugin provider. I'll see about getting it to happen without compose in the mix at all.

[mmguero]

Here's an example that's just pure podman:

FROM debian:12-slim

ARG DEFAULT_UID=1000
ARG DEFAULT_GID=1000
ENV DEFAULT_UID $DEFAULT_UID
ENV DEFAULT_GID $DEFAULT_GID
ENV PUSER "phteven"
ENV PGROUP "phteven"
ENV DEBIAN_FRONTEND noninteractive
ENV TERM xterm

USER root

ENV VOLUME_DIR "/myvol"

RUN apt-get -q update && \
    apt-get -y -q --no-install-recommends upgrade && \
    apt-get install --no-install-recommends -y -q tini && \
    groupadd --gid ${DEFAULT_GID} ${PGROUP} && \
      useradd -m --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER} && \
      usermod -a -G tty ${PUSER} && \
    mkdir -p "${VOLUME_DIR}" && \
    chown -R ${PUSER}:${PGROUP} "${VOLUME_DIR}" && \
    chmod 750 "${VOLUME_DIR}" && \
  apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages autoremove && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/*

VOLUME ["$VOLUME_DIR"]

ENTRYPOINT ["/usr/bin/tini"]

CMD ["/usr/bin/sleep", "infinity"]

$ podman build -t=podvol .
...
Successfully tagged localhost/podvol:latest

$ podman run --detach --rm --userns keep-id --name podvol podvol
ab74fbb8ac0d85b888675b15b78227e195f60a6a1d6151bcbeca5286aeb0dac7

$ podman exec -i -t podvol bash

root@ab74fbb8ac0d:/# ls -l / | grep myvol
drwxr-x---   2    999     999   6 Sep 12 20:20 myvol

root@ab74fbb8ac0d:/# id 1000
uid=1000(phteven) gid=1000(phteven) groups=1000(phteven),5(tty)

root@ab74fbb8ac0d:/# id 0
uid=0(root) gid=0(root) groups=0(root)

root@ab74fbb8ac0d:/# id 999
id: '999': no such user

Now, if I do the exact same thing only take out the VOLUME line from the Dockerfile:

$ podman exec -i -t podvol bash

root@9a24faf00890:/# ls -l / | grep myvol
drwxr-x---   1 phteven phteven   6 Sep 12 20:20 myvol

See how in the first case, /myvol is owned by 999:999 and in the second case it's owned by the user.

My podman info:

host:
  arch: amd64
  buildahVersion: 1.37.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_100:2.1.12-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: e21e7c85b7637e622f21c57675bf1154fc8b1866'
  cpuUtilization:
    idlePercent: 83.67
    systemPercent: 1.66
    userPercent: 14.67
  cpus: 20
  databaseBackend: sqlite
  distribution:
    codename: bookworm
    distribution: debian
    version: "12"
  eventLogger: journald
  freeLocks: 1943
  hostname: myhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.1.0-25-amd64
  linkmode: dynamic
  logDriver: journald
  memFree: 4221894656
  memTotal: 67341971456
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: podman-aardvark-dns_100:1.12.2-1_amd64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.12.2
    package: podman-netavark_100:1.12.2-1_amd64
    path: /usr/libexec/podman/netavark
    version: netavark 1.12.2
  ociRuntime:
    name: crun
    package: crun_100:1.17-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.17
      commit: 000fa0d4eeed8938301f3bcf8206405315bc1017
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_100:0.0+20240906.6b38f072-1_amd64
    version: |
      pasta 0.0+20240906.6b38f072
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_100:1.3.1-1_amd64
    version: |-
      slirp4netns version 1.3.1
      commit: unknown
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 14921756672
  swapTotal: 16000217088
  uptime: 6h 46m 14.00s (Approximately 0.25 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - ghcr.io
  - docker.io
store:
  configFile: /home/user/.config/containers/storage.conf
  containerStore:
    number: 26
    paused: 0
    running: 26
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/user/.local/share/containers/storage
  graphRootAllocated: 927755685888
  graphRootUsed: 415384002560
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 124
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/user/.local/share/containers/storage/volumes
version:
  APIVersion: 5.2.2
  Built: 0
  BuiltTime: Wed Dec 31 17:00:00 1969
  GitCommit: ""
  GoVersion: go1.23.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.2.2

The podman inspect output for that container:

[
     {
          "Id": "9a24faf008906487c24b43be9f888535be10fc965c1205ffb6a30e9052e30825",
          "Created": "2024-09-12T14:28:03.340036788-06:00",
          "Path": "/usr/bin/tini",
          "Args": [
               "/usr/bin/sleep",
               "infinity"
          ],
          "State": {
               "OciVersion": "1.2.0",
               "Status": "running",
               "Running": true,
               "Paused": false,
               "Restarting": false,
               "OOMKilled": false,
               "Dead": false,
               "Pid": 1154072,
               "ConmonPid": 1154068,
               "ExitCode": 0,
               "Error": "",
               "StartedAt": "2024-09-12T14:28:04.955111588-06:00",
               "FinishedAt": "0001-01-01T00:00:00Z",
               "CgroupPath": "/user.slice/user-1000.slice/[email protected]/user.slice/libpod-9a24faf008906487c24b43be9f888535be10fc965c1205ffb6a30e9052e30825.scope",
               "CheckpointedAt": "0001-01-01T00:00:00Z",
               "RestoredAt": "0001-01-01T00:00:00Z"
          },
          "Image": "a0c7c5da2e498931804d7f3cbed370199bc660eb6d24d32f7422f581116fd611",
          "ImageDigest": "sha256:065bf7d411fe913f00eadfd2f445d57b309640165803bc2fccbdcbbce0b6adf5",
          "ImageName": "localhost/podvol:latest",
          "Rootfs": "",
          "Pod": "",
          "ResolvConfPath": "/run/user/1000/containers/overlay-containers/9a24faf008906487c24b43be9f888535be10fc965c1205ffb6a30e9052e30825/userdata/resolv.conf",
          "HostnamePath": "/run/user/1000/containers/overlay-containers/9a24faf008906487c24b43be9f888535be10fc965c1205ffb6a30e9052e30825/userdata/hostname",
          "HostsPath": "/run/user/1000/containers/overlay-containers/9a24faf008906487c24b43be9f888535be10fc965c1205ffb6a30e9052e30825/userdata/hosts",
          "StaticDir": "/home/user/.local/share/containers/storage/overlay-containers/9a24faf008906487c24b43be9f888535be10fc965c1205ffb6a30e9052e30825/userdata",
          "OCIConfigPath": "/home/user/.local/share/containers/storage/overlay-containers/9a24faf008906487c24b43be9f888535be10fc965c1205ffb6a30e9052e30825/userdata/config.json",
          "OCIRuntime": "crun",
          "ConmonPidFile": "/run/user/1000/containers/overlay-containers/9a24faf008906487c24b43be9f888535be10fc965c1205ffb6a30e9052e30825/userdata/conmon.pid",
          "PidFile": "/run/user/1000/containers/overlay-containers/9a24faf008906487c24b43be9f888535be10fc965c1205ffb6a30e9052e30825/userdata/pidfile",
          "Name": "podvol",
          "RestartCount": 0,
          "Driver": "overlay",
          "MountLabel": "",
          "ProcessLabel": "",
          "AppArmorProfile": "",
          "EffectiveCaps": [
               "CAP_AUDIT_WRITE",
               "CAP_CHOWN",
               "CAP_DAC_OVERRIDE",
               "CAP_FOWNER",
               "CAP_FSETID",
               "CAP_KILL",
               "CAP_MKNOD",
               "CAP_NET_BIND_SERVICE",
               "CAP_NET_RAW",
               "CAP_SETFCAP",
               "CAP_SETGID",
               "CAP_SETPCAP",
               "CAP_SETUID",
               "CAP_SYS_CHROOT"
          ],
          "BoundingCaps": [
               "CAP_AUDIT_WRITE",
               "CAP_CHOWN",
               "CAP_DAC_OVERRIDE",
               "CAP_FOWNER",
               "CAP_FSETID",
               "CAP_KILL",
               "CAP_MKNOD",
               "CAP_NET_BIND_SERVICE",
               "CAP_NET_RAW",
               "CAP_SETFCAP",
               "CAP_SETGID",
               "CAP_SETPCAP",
               "CAP_SETUID",
               "CAP_SYS_CHROOT"
          ],
          "ExecIDs": [
               "65db4c33363574f7adefddce265b10b85fbfaf17c915848cb0a3c9ba7023924f"
          ],
          "GraphDriver": {
               "Name": "overlay",
               "Data": {
                    "LowerDir": "/home/user/.local/share/containers/storage/overlay/574e22e973fe0b3eb7acf1af8a1b1e57c708b8754d00b2ab50ecfe3cb818aa10/diff:/home/user/.local/share/containers/storage/overlay/e42396fe03bead4cf365f2d1cc8c4c53b21f21da99d2168eb93601896fabe080/diff:/home/user/.local/share/containers/storage/overlay/9853575bc4f955c5892dd64187538a6cd02dba6968eba9201854876a7a257034/diff",
                    "MergedDir": "/home/user/.local/share/containers/storage/overlay/e86b00bda00dc66db8e4980691d297cbad1e02a140b7db1f6df8fc205b894c8d/merged",
                    "UpperDir": "/home/user/.local/share/containers/storage/overlay/e86b00bda00dc66db8e4980691d297cbad1e02a140b7db1f6df8fc205b894c8d/diff",
                    "WorkDir": "/home/user/.local/share/containers/storage/overlay/e86b00bda00dc66db8e4980691d297cbad1e02a140b7db1f6df8fc205b894c8d/work"
               }
          },
          "Mounts": [],
          "Dependencies": [],
          "NetworkSettings": {
               "EndpointID": "",
               "Gateway": "",
               "IPAddress": "",
               "IPPrefixLen": 0,
               "IPv6Gateway": "",
               "GlobalIPv6Address": "",
               "GlobalIPv6PrefixLen": 0,
               "MacAddress": "",
               "Bridge": "",
               "SandboxID": "",
               "HairpinMode": false,
               "LinkLocalIPv6Address": "",
               "LinkLocalIPv6PrefixLen": 0,
               "Ports": {},
               "SandboxKey": "/run/user/1000/netns/netns-a6a9c06e-ef43-75dd-5c8d-20a6c41db7cb"
          },
          "Namespace": "",
          "IsInfra": false,
          "IsService": false,
          "KubeExitCodePropagation": "invalid",
          "lockNumber": 104,
          "Config": {
               "Hostname": "9a24faf00890",
               "Domainname": "",
               "User": "root",
               "AttachStdin": false,
               "AttachStdout": false,
               "AttachStderr": false,
               "Tty": false,
               "OpenStdin": false,
               "StdinOnce": false,
               "Env": [
                    "container=podman",
                    "PGROUP=phteven",
                    "DEBIAN_FRONTEND=noninteractive",
                    "VOLUME_DIR=/myvol",
                    "DEFAULT_UID=1000",
                    "PUSER=phteven",
                    "DEFAULT_GID=1000",
                    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                    "TERM=xterm",
                    "HOME=/root",
                    "HOSTNAME=9a24faf00890"
               ],
               "Cmd": [
                    "/usr/bin/sleep",
                    "infinity"
               ],
               "Image": "localhost/podvol:latest",
               "Volumes": null,
               "WorkingDir": "/",
               "Entrypoint": [
                    "/usr/bin/tini"
               ],
               "OnBuild": null,
               "Labels": {
                    "io.buildah.version": "1.37.2"
               },
               "Annotations": {
                    "io.container.manager": "libpod",
                    "io.podman.annotations.autoremove": "TRUE",
                    "org.opencontainers.image.stopSignal": "15",
                    "org.systemd.property.KillSignal": "15",
                    "org.systemd.property.TimeoutStopUSec": "uint64 10000000"
               },
               "StopSignal": "SIGTERM",
               "HealthcheckOnFailureAction": "none",
               "CreateCommand": [
                    "podman",
                    "run",
                    "--detach",
                    "--rm",
                    "--userns",
                    "keep-id",
                    "--name",
                    "podvol",
                    "podvol"
               ],
               "Umask": "0022",
               "Timeout": 0,
               "StopTimeout": 10,
               "Passwd": true,
               "sdNotifyMode": "container"
          },
          "HostConfig": {
               "Binds": [],
               "CgroupManager": "systemd",
               "CgroupMode": "private",
               "ContainerIDFile": "",
               "LogConfig": {
                    "Type": "journald",
                    "Config": null,
                    "Path": "",
                    "Tag": "",
                    "Size": "0B"
               },
               "NetworkMode": "pasta",
               "PortBindings": {},
               "RestartPolicy": {
                    "Name": "no",
                    "MaximumRetryCount": 0
               },
               "AutoRemove": true,
               "Annotations": {
                    "io.container.manager": "libpod",
                    "io.podman.annotations.autoremove": "TRUE",
                    "org.opencontainers.image.stopSignal": "15",
                    "org.systemd.property.KillSignal": "15",
                    "org.systemd.property.TimeoutStopUSec": "uint64 10000000"
               },
               "VolumeDriver": "",
               "VolumesFrom": null,
               "CapAdd": [],
               "CapDrop": [],
               "Dns": [],
               "DnsOptions": [],
               "DnsSearch": [],
               "ExtraHosts": [],
               "GroupAdd": [],
               "IpcMode": "shareable",
               "Cgroup": "",
               "Cgroups": "default",
               "Links": null,
               "OomScoreAdj": 0,
               "PidMode": "private",
               "Privileged": false,
               "PublishAllPorts": false,
               "ReadonlyRootfs": false,
               "SecurityOpt": [],
               "Tmpfs": {},
               "UTSMode": "private",
               "UsernsMode": "private",
               "IDMappings": {
                    "UidMap": [
                         "0:1:1000",
                         "1000:0:1",
                         "1001:1001:64536"
                    ],
                    "GidMap": [
                         "0:1:1000",
                         "1000:0:1",
                         "1001:1001:64536"
                    ]
               },
               "ShmSize": 65536000,
               "Runtime": "oci",
               "ConsoleSize": [
                    0,
                    0
               ],
               "Isolation": "",
               "CpuShares": 0,
               "Memory": 0,
               "NanoCpus": 0,
               "CgroupParent": "user.slice",
               "BlkioWeight": 0,
               "BlkioWeightDevice": null,
               "BlkioDeviceReadBps": null,
               "BlkioDeviceWriteBps": null,
               "BlkioDeviceReadIOps": null,
               "BlkioDeviceWriteIOps": null,
               "CpuPeriod": 0,
               "CpuQuota": 0,
               "CpuRealtimePeriod": 0,
               "CpuRealtimeRuntime": 0,
               "CpusetCpus": "",
               "CpusetMems": "",
               "Devices": [],
               "DiskQuota": 0,
               "KernelMemory": 0,
               "MemoryReservation": 0,
               "MemorySwap": 0,
               "MemorySwappiness": 0,
               "OomKillDisable": false,
               "PidsLimit": 2048,
               "Ulimits": [
                    {
                         "Name": "RLIMIT_MEMLOCK",
                         "Soft": 9223372036854775807,
                         "Hard": 9223372036854775807
                    },
                    {
                         "Name": "RLIMIT_NOFILE",
                         "Soft": 65535,
                         "Hard": 65535
                    },
                    {
                         "Name": "RLIMIT_NPROC",
                         "Soft": 262143,
                         "Hard": 524287
                    }
               ],
               "CpuCount": 0,
               "CpuPercent": 0,
               "IOMaximumIOps": 0,
               "IOMaximumBandwidth": 0,
               "CgroupConf": null
          }
     }
]

Is that enough detail?

[rhatdan]

@giuseppe PTAL

[mfontana-elem]

@mmguero
If you look at the MRE which I left in the first message, you can see it's not really related to whether you have a VOLUME directive in your Dockerfile but rather the fact that podman has to create a volume. It's the same thing if the directive is in the Dockerfile or in the podman run/start command.

The thing leading to the unexpected behavior is using any kind of userns option, except for the null one. Happy to see this thread get more views, it's an important bug, although I would guess it shows under some kind of special circumstance I am not able to narrow down. Otherwise, several more people would have shown up.

[giuseppe]

working on a fix in #23977