Problem with uids and permissions

[Joerg-L]

Description
We want to use Podman for running, in example, Atlassian Bitbucket.

Important thing: this application is not running as root insider the container

To do that, we are using follwing command
podman run -v /home/bitbucket/application-data/bitbucket:/var/atlassian/application-data/bitbucket:Z --name="bitbucket" -d -p 7990:7990 -p 7999:7999 atlassian/bitbucket

The folder on host has following owner/permissions before the container is started
drwxr-x---. 2 bitbucket bitbucket 4096 Jan 21 12:15 bitbucket

After the application is started, we see following on the folder
drwx------. 4 495218 495218 4096 Jan 21 12:24 bitbucket

The uid/gid 495218 is almost clear as

• insider the container, the uid/gid is 2003
• host /etc/subuid says bitbucket:493216:65536
• host /etc/subgid says bitbucket:493216:65536

As "expected" I can't access the folder, UID/GID on host is 1024.
But for

• creating backups
• read log files, others then stdout

I need to access the folder content.

What I want to know is, how can I ensure that the access on the folder from host and container is possible?
Thanks a lot

Output of `podman info:

podman info
host:
  arch: amd64
  buildahVersion: 1.22.3
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.29-1.module+el8.5.0+12582+56d94c81.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: 0f5bee61b18d4581668e5bf18b910cda3cff5081'
  cpus: 2
  distribution:
    distribution: '"rhel"'
    version: "8.3"
  eventLogger: file
  hostname: *************
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1024
      size: 1
    - container_id: 1
      host_id: 493216
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1024
      size: 1
    - container_id: 1
      host_id: 493216
      size: 65536
  kernel: 4.18.0-240.el8.x86_64
  linkmode: dynamic
  memFree: 115658752
  memTotal: 3889594368
  ociRuntime:
    name: runc
    package: runc-1.0.2-1.module+el8.5.0+12582+56d94c81.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.2
      spec: 1.0.2-dev
      go: go1.16.7
      libseccomp: 2.5.1
  os: linux
  remoteSocket:
    path: /run/user/1024/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.8-1.module+el8.5.0+12582+56d94c81.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 3955224576
  swapTotal: 4194299904
  uptime: 72h 36m 50.35s (Approximately 3.00 days)
registries:
  ***************************:18079:
    Blocked: false
    Insecure: true
    Location: ***************************:18079
    MirrorByDigestOnly: false
    Mirrors: null
    Prefix: ***************************:18079
  search:
  - ***************************:18079
store:
  configFile: /home/bitbucket/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.7.1-1.module+el8.5.0+12582+56d94c81.x86_64
      Version: |-
        fusermount3 version: 3.2.1
        fuse-overlayfs: version 1.7.1
        FUSE library version 3.2.1
        using FUSE kernel interface version 7.26
  graphRoot: /home/bitbucket/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 5
  runRoot: /run/user/1024/containers
  volumePath: /home/bitbucket/.local/share/containers/storage/volumes
version:
  APIVersion: 3.3.1
  Built: 1632213702
  BuiltTime: Tue Sep 21 10:41:42 2021
  GitCommit: ""
  GoVersion: go1.16.7
  OsArch: linux/amd64
  Version: 3.3.1

[giuseppe]

I think podman unshare could be helpful.

It runs a shell inside the rootless Podman user namespace, so it runs as root (inside the user namespace) and you have access to all the files created/owned by rootless containers

[giuseppe]

i.e. podman unshare ls /home/bitbucket/application-data/bitbucket should show the files

[Joerg-L]

@giuseppe

podman unshare

I agree that with podman unshare ls -l ./application-data/bitbucket
I can take a look at the folder like you can see below

total 44
drwxr-xr-x. 2 2003 2003 4096 Jan 21 12:26 analytics-logs
drwxr-xr-x. 4 2003 2003 4096 Jan 21 12:26 bin
drwxr-xr-x. 6 2003 2003 4096 Jan 21 12:26 caches
-rw-r--r--. 1 2003 2003    1 Jan 21 12:24 docker-app.pid
drwxr-xr-x. 2 2003 2003 4096 Jan 21 12:25 export
-rw-r--r--. 1 2003 2003   67 Jan 21 12:25 home.properties
drwxr-xr-x. 3 2003 2003 4096 Jan 21 12:25 lib
drwxr-xr-x. 3 2003 2003 4096 Jan 21 12:25 log
drwxr-xr-x. 3 2003 2003 4096 Jan 21 12:25 plugins
drwxr-xr-x. 6 2003 2003 4096 Jan 21 12:25 shared
drwxr-xr-x. 6 2003 2003 4096 Jan 21 12:26 tmp

also I was able to use podman unshare cp ./application-data/bitbucket/home.properties /tmp
to copy the file home.properties to /tmp

ls -l /tmp/home.properties
-rw-r--r--. 1 bitbucket bitbucket 67 Jan 21 13:30 /tmp/home.properties

Is that really the one and only way to get access to the content of the folder?

I think also about log monitoring for example. We Use splunk which needs to get access to the log file.

[eriksjolund]

@Joerg-L By using --uidmap and --gidmap the created files will be owned by your normal user.
I tried it out and it seems to work:

$ subuidSize=$(echo $(( $(podman info --format "{{ range .Host.IDMappings.UIDMap }}+{{.Size }}{{end }}" ) - 1 )))
$ subgidSize=$(echo $(( $(podman info --format "{{ range .Host.IDMappings.GIDMap }}+{{.Size }}{{end }}" ) - 1 )))
$ mkdir dir1
$ uid=2003; gid=2003; podman run --rm -v ./dir1:/var/atlassian/application-data/bitbucket:Z  --user $uid:$gid \
  --uidmap $uid:0:1 \
  --uidmap 0:1:$uid \
  --uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid)) \
  --gidmap $gid:0:1 \
  --gidmap 0:1:$gid \
  --gidmap $(($gid+1)):$(($gid+1)):$(($subgidSize-$gid)) --name="bitbucket" -d -p 7990:7990 -p 7999:7999 atlassian/bitbucket
024940b17cefa4bf083b8853656a23e1e50b441dece8fa086fe43e8de564b34f
$ # Go to http://localhost:7090 and do some clicking in the web interface 
$ # I registered a Atlassian license but I don't know if that is needed
$ id -un
test29
$ ls -ltr dir1
drwxr-xr-x. 2 test29 test29    6 Jan 21 13:22 export
drwxr-xr-x. 3 test29 test29   25 Jan 21 13:22 plugins
drwxr-xr-x. 3 test29 test29   20 Jan 21 13:22 lib
drwxr-xr-x. 4 test29 test29   42 Jan 21 13:22 bin
drwxr-xr-x. 6 test29 test29   91 Jan 21 13:22 tmp
drwxr-xr-x. 2 test29 test29  103 Jan 21 13:23 analytics-logs
drwxr-xr-x. 6 test29 test29   67 Jan 21 13:23 caches
drwxr-xr-x. 4 test29 test29 4096 Jan 21 13:23 log
drwxr-xr-x. 6 test29 test29   74 Jan 21 13:32 shared
$

Regarding the use of UID and GID 2003 I wrote something here
https://stackoverflow.com/a/70774211/757777

[jwcard]

is this possible to be generalized? This solution seems to depend on the preserving the invoking user's UID, but what if I don't necessarily care about the runner's UID but I want another UID:GID pair to be preserved? Lets say I have 2 or more containers running and I want each of them to write to the hosts nobody:nobody (or whatever)?

Or perhaps I am missing something and this doesn't depend on the runner's UID:GID?

[eriksjolund]

is this possible to be generalized?

Yes, try the newer syntax

--uidmap=+${container_uid}:@${host_uid} --gidmap=+${container_gid}:@${host_gid}

(Note the + and @ used in the syntax)

Search for Rootless mapping of additional host GIDs in
https://docs.podman.io/en/latest/markdown/podman-run.1.html#uidmap-flags-container-uid-from-uid-amount

[eriksjolund]

I accidentally added

--user $uid:$gid

It works without it too.

[Joerg-L]

Many thanks @eriksjolund that's really helpfull and work fine.
so I dont' have to find any workaround for monitoring logs and so on.

correct me please, if I'm wrong, but I can also put that mapping into storage.conf related to
remap-uids and remap-gids isn't it?

[eriksjolund]

I see an option related to remapping UIDs in man storage.conf

$ man storage.conf | grep -A2 remap-uids=
       remap-uids="" remap-gids=""
         Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs.  Additional mapped sets can be listed and  will
       be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
$ 

but we made use of a mapping to treat UID 2003 and GID 2003 in a special way. That is very specific to this container image so it should probably be specified on the command-line.

I wonder if it would make sense to abbreviate this style of mapping:

  --uidmap $uid:0:1 \
  --uidmap 0:1:$uid \
  --uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid)) \
  --gidmap $gid:0:1 \
  --gidmap 0:1:$gid \
  --gidmap $(($gid+1)):$(($gid+1)):$(($subgidSize-$gid))

into a new command-line option (name? maybe --mapped-user=$uid:$gid or something else).

[Joerg-L]

into a new command-line option (name? maybe --mapped-user=$uid:$gid or something else).

That would make things definetly easier.....

We found our way to podman, comming from docker, to getting rootless.
It was a please to see that "container root to host usder" mapping works find out of the box.

Getting aware of that issue, if files in container, which were not create bei container root, needs such "big" logic was really surprising.

[eriksjolund]

Theoretically Podman could check after the container has finished executing that there are no files owned by subordinate UIDs in any of the bind-mounted directories. If Podman would only find such files, Podman could automatically compute the $uid and $gid value for --mapped-user= and suggest it to the user. (Just a wild idea, probably a bit too wild)

[giuseppe]

Could you try if --userns keep-id would work for you?

Outside of the user namespace your user has no capabilities and doesn't have access to files readable only to other users. podman unshare gives you back these capabilities and control over the additional IDs

[eriksjolund]

--userns keep-id worked too!

$ id -un
test29
$ mkdir dir1
$ podman run --rm -v ./dir1:/var/atlassian/application-data/bitbucket:Z \
             --userns keep-id --name "bitbucket" \
             -d -p 7990:7990 -p 7999:7999 atlassian/bitbucket
0e6d147ea248682eb6c3b526cc87c2a884a36828ae3587b41a26e363c7b128b3
$ ls -l dir1
total 8
drwxr-xr-x. 2 test29 test29   6 Jan 21 19:23 bin
drwxr-xr-x. 2 test29 test29   6 Jan 21 19:23 caches
-rw-r--r--. 1 test29 test29   1 Jan 21 19:23 docker-app.pid
drwxr-xr-x. 2 test29 test29   6 Jan 21 19:23 export
-rw-r--r--. 1 test29 test29  67 Jan 21 19:23 home.properties
drwxr-xr-x. 3 test29 test29  20 Jan 21 19:23 lib
drwxr-xr-x. 2 test29 test29 189 Jan 21 19:23 log
drwxr-xr-x. 3 test29 test29  25 Jan 21 19:23 plugins
drwxr-xr-x. 6 test29 test29  61 Jan 21 19:23 shared
drwxr-xr-x. 4 test29 test29  59 Jan 21 19:23 tmp
$

[Joerg-L]

I agree, seems that this seeting will also work.

How ever on the logs following message is visible

Bitbucket is being run with a umask that contains potentially unsafe settings.
The following issues were found with the mask "u=rwx,g=rx,o=rx" (0022):

• Access is allowed to 'others'. It is recommended that 'others' be denied
  all access for security reasons.
  The recommended umask for Bitbucket is "u=,g=w,o=rwx" (0027) and can be
  configured in _start-webapp.sh

this seems to be more info/warning, no error.

[rhatdan]

This feels like a discussion rather then an issue.

[Joerg-L]

@eriksjolund @giuseppe
Thanks you both for your greate help.

On more question on that:

Can this be also used together with a pod?
So having a pod with 2 containers in and containerspecific mappings of the ID stuff?

So for clarification:
When running Bitbucket in a container, the use of an external Elasticsearch instance is highly recommended.
When running both containers individual, I can't use http://localhost:9200 to access the elastic-container from the bitbucket container.
I need to user http://IP:9200 which works fine, but entering an IP isn't the best solution I would think, especially as this configuration can be passed to the container bei environment variables.

[Joerg-L]

I have try to use that

podman pod create -n pod_bitbucket --userns=keep-id --infra-image=google/pause       
Error: unknown flag: --userns

Or do I need to set it, when adding the containers to the pod?

[giuseppe]

what version of podman are you using?

$ podman pod create --help | grep userns
      --userns string                 User namespace to use
$ podman --version
podman version 3.4.4

[Joerg-L]

We have Podman 3.3.1 on an Red Hat Enterprise Linux Release 8.3

[rhatdan]

You should get podman 3.4.4 by end of week, I believe, in RHEL 8.5.0.2

[Joerg-L]

Releasing RHEL 8.5.0.2 from Red Hat is one thing, getting it running anoher.
My local machines are in a manged service environment and amt 8.3 is the max. available verison...

We will see...
Thanks