Devices are not mounted inside rootless container and groups are not properly ported

[dozenposture]

Issue Description

I can't mount devices inside a podman container when rootless. I tried the same quadlet file with rootful and I'm able to use mounted devices.

I'm using quadlet and this is the content of the file:

[Unit]
Description=Tdarr container
After=local-fs.target

[Container]
Image=ghcr.io/haveagitgat/tdarr:latest
ContainerName=tdarr
AutoUpdate=registry
Environment=PUID=1002
Environment=PGID=1002
Environment=UMASK=002
Environment=TZ=Europe/Amsterdam
Environment=serverIP=0.0.0.0
Environment=serverPort=8266
Environment=webUIPort=8265
Environment=internalNode=true
Environment=inContainer=true
Environment=ffmpegVersion=6
Environment=nodeName=MyInternalNode
PublishPort=8265:8265
PublishPort=8266:8266
Volume=${CONFIG_DIR}/tdarr/server:/app/server:Z
Volume=${CONFIG_DIR}/tdarr/configs:/app/configs:Z
Volume=${CONFIG_DIR}/tdarr/logs:/app/logs:Z
Volume=${CONFIG_DIR}/tdarr/transcode_cache:/temp:Z
Volume=${DATA_DIR}/test:/media:z
AddDevice=/dev/dri:/dev/dri
#Network=pqsw.network
User=0
UserNS=keep-id
GroupAdd=keep-groups
HealthStartPeriod=1m
HealthCmd=CMD-SHELL curl -f --insecure http://localhost:8265 || exit 1
HealthInterval=30s
HealthRetries=2
HealthOnFailure=kill

[Service]
Restart=on-failure

[Install]
WantedBy=multi-user.target default.target

User podman is member of groups render and video:

podman@host~> groups
podman video render

And this are the devices on the host:

podman@host:~> ls -l /dev/dri
total 0
drwxr-xr-x. 2 root root         80 Jan 11 11:26 by-path
crw-rw----. 1 root video  226,   1 Jan 11 11:26 card1
crw-rw----. 1 root render 226, 128 Jan 11 11:26 renderD128

Steps to reproduce the issue

Steps to reproduce the issue

1. Add user to video and render group
2. Lauch rootles container with GroupAdd=keep-groups directive
3. Run podman inspect tdarr and see no devices are mounted

Describe the results you received

When executing podman inspect tdarr I don't see any device:

...
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
...

Moreover, when inspecting the container, I don't see the groups video and render begin ported inside the container:

podman@host:~> podman exec -it tdarr bash
root@afbf943fadda:/# cd /dev/dri/
root@afbf943fadda:/dev/dri# ls -l
total 0
drwxr-xr-x. 2 nobody nogroup       80 Jan 11 11:26 by-path
crw-rw----. 1 nobody nogroup 226,   1 Jan 11 11:26 card1
crw-rw----. 1 nobody nogroup 226, 128 Jan 11 11:26 renderD128

This is how it looks on the host:

podman@host:~> cd /dev/dri
podman@host:/dev/dri> ls -l
total 0
drwxr-xr-x. 2 root root         80 Jan 11 11:26 by-path
crw-rw----. 1 root video  226,   1 Jan 11 11:26 card1
crw-rw----. 1 root render 226, 128 Jan 11 11:26 renderD128

Describe the results you expected

I would expect to have groups video and render inside the container.
I would expect to see devices present when running podman inspect tdarr

When rootful, it looks like this:

"Devices": [
                    {
                         "PathOnHost": "/dev/dri/card1",
                         "PathInContainer": "/dev/dri/card1",
                         "CgroupPermissions": ""
                    },
                    {
                         "PathOnHost": "/dev/dri/renderD128",
                         "PathInContainer": "/dev/dri/renderD128",
                         "CgroupPermissions": ""
                    }
               ],

podman info output

@host:~> podman info
host:
  arch: amd64
  buildahVersion: 1.38.0
  cgroupControllers:
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-1.1.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: unknown'
  cpuUtilization:
    idlePercent: 72.94
    systemPercent: 14.22
    userPercent: 12.83
  cpus: 4
  databaseBackend: sqlite
  distribution:
    distribution: opensuse-tumbleweed
    version: "20250108"
  eventLogger: journald
  freeLocks: 2016
  hostname: host
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1002
      size: 1
    - container_id: 1
      host_id: 231072
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1002
      size: 1
    - container_id: 1
      host_id: 231072
      size: 65536
  kernel: 6.12.8-2-default
  linkmode: dynamic
  logDriver: journald
  memFree: 173830144
  memTotal: 7983931392
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.1.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.1.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19-1.1.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19
      commit: db31c42ac46e20b5527f5339dcbf6f023fcd539c
      rundir: /run/user/1002/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-20241211.09478d5-1.1.x86_64
    version: |
      pasta 20241211.09478d5-1.1
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1002/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 5508030464
  swapTotal: 7983927296
  uptime: 34h 18m 11.00s (Approximately 1.42 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.opensuse.org
  - registry.suse.com
  - docker.io
store:
  configFile: /home/podman/.config/containers/storage.conf
  containerStore:
    number: 28
    paused: 0
    running: 26
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/podman/.local/share/containers/storage
  graphRootAllocated: 255522574336
  graphRootUsed: 40699297792
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 26
  runRoot: /run/user/1002/containers
  transientStore: false
  volumePath: /home/podman/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.1
  Built: 1733485830
  BuiltTime: Fri Dec  6 12:50:30 2024
  GitCommit: ""
  GoVersion: go1.23.4
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[giuseppe]

I would expect to have groups video and render inside the container.
I would expect to see devices present when running podman inspect tdarr

In an unprivileged user namespace, host GIDs cannot be mapped, unless the user has access to them (i.e. added to /etc/subuid and /etc/subgid). Any files or processes with unmapped GIDs will appear as owned by nobody:nogroup within the namespace.

If your user had access to the devices on the host and the access was granted through groups membership, then it should still have it inside the user namespace with keep-groups.

Can the user access the devices?