How to allow a container to access files of some host group? Permission problem. #24379

parametalol · 2024-10-26T11:46:50Z

parametalol
Oct 26, 2024

Hi,

The Problem

The photoprism host user (UID 1002) belongs to photoprism (GID 1007) and home (GID 1004) groups

/home/Photos has g+rwx and have home as group:

  $ ls -nd /home/Photos/
  drwxrwsr-x. 9 1000 1004 4096 Oct 24 21:09 /home/Photos/

/etc/subgid content (there's no home):
```
  ...
  photoprism:524288:65536
```

I want to run a container as the photoprism user so that it has access to the photos, but the second group (home) is not getting mapped:

  $ podman run --rm -ti -v /home/Photos:/photos --group-add keep-groups busybox sh
  / # id
  uid=0(root) gid=0(root) groups=65534(nobody),0(root)

What I tried

searched the internet and other discussions (e.g. Map multiple users inside container #23276), talked to ChatGPT
disabled SELinux
various --gidmap combinations
--group-entry home:x:1004:root
altering /etc/subgid, following podman system migrate

Nothing worked.

Please help!

Answered by parametalol

Oct 27, 2024

Solution

Add another mapping to /etc/subgid for the extra group:
```
 ...
 photoprism:1004:1
 photoprism:524288:65536
```

Run the container with:

 --group-add 1004             // add the root user to group 1004 inside the container
 --gidmap '+g1004:@1004'      // add mapping of the container group 1004 to the host 1004 group
 --security-opt label=disable // disable SELinux labeling for the container :(

Same but for the docker-compose file:

services:
  photoprism:
    security_opt:
      - label:disable
    group_add:
      - 1004
    x-podman.gidmap:
      - "+g1004:@1004"

View full answer

parametalol · 2024-10-26T12:52:07Z

parametalol
Oct 26, 2024
Author

Examples of my tries:

photoprism@home$ podman run --rm -ti -v /home/Photos:/photos --group-add keep-groups --gidmap 'g0:1007,g1004:1004' busybox sh
WARN[0000] Additional gid=10 is not present in the user namespace, skip setting it 
/ # id
uid=0(root) gid=0(root) groups=65534(nobody),65534(nobody)

photoprism@home$ podman run --rm -ti -v /home/Photos:/photos --group-add keep-groups --gidmap 'g524388:1004,g524288:1007' busybox sh
Error: creating container storage: creating an ID-mapped copy of layer "58f32e9504c8eb248292326a1975174b0560f7a3ad1b75880b9571c4eb7144a0": creating copy of template layer "58f32e9504c8eb248292326a1975174b0560f7a3ad1b75880b9571c4eb7144a0" with ID "c365f1dcf9b1c6402879df78f86896959d5632b9ecb1a604897b0082aeabc729": container ID 0 cannot be mapped to a host ID

0 replies

parametalol · 2024-10-27T13:23:36Z

parametalol
Oct 27, 2024
Author

Solution

Add another mapping to /etc/subgid for the extra group:
```
 ...
 photoprism:1004:1
 photoprism:524288:65536
```

Run the container with:

 --group-add 1004             // add the root user to group 1004 inside the container
 --gidmap '+g1004:@1004'      // add mapping of the container group 1004 to the host 1004 group
 --security-opt label=disable // disable SELinux labeling for the container :(

Same but for the docker-compose file:

services:
  photoprism:
    security_opt:
      - label:disable
    group_add:
      - 1004
    x-podman.gidmap:
      - "+g1004:@1004"

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to allow a container to access files of some host group? Permission problem. #24379

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments

{{title}}

{{title}}

Select a reply

How to allow a container to access files of some host group? Permission problem. #24379

parametalol Oct 26, 2024

The Problem

What I tried

Solution

Replies: 2 comments

parametalol Oct 26, 2024 Author

parametalol Oct 27, 2024 Author

Solution

parametalol
Oct 26, 2024

parametalol
Oct 26, 2024
Author

parametalol
Oct 27, 2024
Author