Rootful quadlet User and UIDMap overlay mount permission denied

[Rivers47]

I wish to use rootful podman for networking, but the service needs to access bind mount for config and data. For a minimal example:

[Unit]
Description=Testing server

[Container]
ContainerName=container-test
Image=docker.io/library/alpine
Timezone=local
User=1000:1000
UIDMap=1000:1000
Volume=/srv/test:/config

where /srv/test is owned by user 1000. The image in use here is irrelevant I think as it fails before starting.

I take that this means that inside the container the service would be run as user 1000, and outside this is mapped to the same user. Similarly to when using rootless podman setting User=1000 and userns=keep-id

However starting the systemd unit fails with

Oct 27 12:48:10 rivers-server.local systemd[1]: Starting container-test.service - Testing server...
░░ Subject: A start job for unit container-test.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit container-test.service has begun execution.
░░ 
░░ The job identifier is 52901.
Oct 27 12:48:10 rivers-server.local podman[549762]: 2024-10-27 12:48:10.491308266 -0400 EDT m=+0.027216125 container create 0afc27a3d2c2029a9878a1a219c018b2a9931d54b4936d16ac06bc23888648f0 (image=docker.io/library/alpine:latest, name=container-bug, PODMAN_SYSTEMD_UNIT=container-test.service)
Oct 27 12:48:10 rivers-server.local container-test[549762]: time="2024-10-27T12:48:10-04:00" level=error msg="Unmounting /var/lib/containers/storage/overlay/2a600b53bc4e92ae9109c0736d260ee329d98b049715fcd5789a3418c8252f4d/merged: invalid argument"
Oct 27 12:48:10 rivers-server.local podman[549762]: 2024-10-27 12:48:10.50374523 -0400 EDT m=+0.039653099 container remove 0afc27a3d2c2029a9878a1a219c018b2a9931d54b4936d16ac06bc23888648f0 (image=docker.io/library/alpine:latest, name=container-bug, PODMAN_SYSTEMD_UNIT=container-test.service)
Oct 27 12:48:10 rivers-server.local container-test[549762]: Error: mounting storage for container 0afc27a3d2c2029a9878a1a219c018b2a9931d54b4936d16ac06bc23888648f0: creating overlay mount to /var/lib/containers/storage/overlay/2a600b53bc4e92ae9109c0736d260ee329d98b049715fcd5789a3418c8252f4d/merged, mount_data="lowerdir=/var/lib/containers/storage/overlay/2a600b53bc4e92ae9109c0736d260ee329d98b049715fcd5789a3418c8252f4d/mapped/0/l/EA575L6NUBVOZWUDA6YSE7XOWA,upperdir=/var/lib/containers/storage/overlay/2a600b53bc4e92ae9109c0736d260ee329d98b049715fcd5789a3418c8252f4d/diff,workdir=/var/lib/containers/storage/overlay/2a600b53bc4e92ae9109c0736d260ee329d98b049715fcd5789a3418c8252f4d/work,nodev,metacopy=on,volatile": permission denied
Oct 27 12:48:10 rivers-server.local podman[549762]: 2024-10-27 12:48:10.481612226 -0400 EDT m=+0.017520105 image pull 91ef0af61f39ece4d6710e465df5ed6ca12112358344fd51ae6a3b886634148b docker.io/library/alpine
Oct 27 12:48:10 rivers-server.local systemd[1]: container-test.service: Main process exited, code=exited, status=126/n/a
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ An ExecStart= process belonging to unit container-test.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 126.
Oct 27 12:48:10 rivers-server.local systemd[1]: container-test.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit container-test.service has entered the 'failed' state with result 'exit-code'.
Oct 27 12:48:10 rivers-server.local systemd[1]: Failed to start container-test.service - Testing server.
░░ Subject: A start job for unit container-test.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit container-test.service has finished with a failure.
░░ 
░░ The job identifier is 52901 and the job result is failed.

I think this is different from #9642 because they are trying to use the systemd.exec User= but here I think the generated quadlet still runs as root outside of the container?

Is this way of using quadlet correct/supported?

[polarathene]

TL;DR: You probably don't want User at all, and just UIDMap=0:1000 for a rootful Quadlet.

UIDMap vs User

UIDMap is for mapping a container ID to a host ID via /etc/subuid (host config). You only need to do that for a bind mount volume when the container would write that container ID and you want it to be mapped to a different UID on the host.

In your case you're using User which should map to podman run --user 1000:1000, that is like setting the USER directive in the Dockerfile image build, so the container will run with that instead, but that's now a non-root user and thus may not have the same permissions to do things, especially if it would be intended to start a process that expects to be run as root in the container.

That's not an uncommon problem if the container is designed to start as root and switch to a non-root user when it begins. Images like that (say linuxserver.io images with s6) tend to offer ENV like PUID / PGID to configure the desired non-root IDs instead. --user / USER would change the root user that is only temporarily needed during container startup, but if you're only concerned with ownership on an external volume, then UIDMap / --uidmap is better for that.

You're right that this concern shouldn't matter what image you use given your failure output, so in your case let's move on to UIDMap.

---

UIDMap

If you're not familiar with the syntax you have said to take container UID 1000, and map that to the 1001th ID for the host user (running podman) entry in /etc/subuid, or in terms of root the exact offset, the 1001th ID is 1000. For a rootless user that would instead be mapped from their /etc/subuid ID range.

$ mkdir /tmp/example && chmod 777 /tmp/example
$ podman run --rm -itd --name test --uidmap 1000:1000 -v /tmp/example:/tmp/example:Z alpine

ERRO[0000] Unmounting /var/lib/containers/storage/overlay/ce4525d43a53464d1308cd59ce6c1ba9ef9bdd67054a9c1cdfa476fdd5ef7c71/merged: invalid argument
Error: mounting storage for container 9799d648e28cb1acaca4b88ccffca47a7212d6abbb1ecd4b03d5e0d63bfa2974: creating overlay mount to /var/lib/containers/storage/overlay/ce4525d43a53464d1308cd59ce6c1ba9ef9bdd67054a9c1cdfa476fdd5ef7c71/merged, mount_data="lowerdir=/var/lib/containers/storage/overlay/ce4525d43a53464d1308cd59ce6c1ba9ef9bdd67054a9c1cdfa476fdd5ef7c71/mapped/0/l/26CB7USPA5EZZVKE2JAXQYT56Y,upperdir=/var/lib/containers/storage/overlay/ce4525d43a53464d1308cd59ce6c1ba9ef9bdd67054a9c1cdfa476fdd5ef7c71/diff,workdir=/var/lib/containers/storage/overlay/ce4525d43a53464d1308cd59ce6c1ba9ef9bdd67054a9c1cdfa476fdd5ef7c71/work,nodev,metacopy=on,volatile,context=\"system_u:object_r:container_file_t:s0:c107,c445\"": permission denied

Looks like a SELinux issue in this case, although I seem to get that even with setenforce 0 🤔

The error you get is not particularly helpful, but AFAIK it's about the need to always have a mapping entry for container root. On a rootless user you'd get this instead:

# :Z for the volume here is for SELinux specifically, to avoid permission errors:
$ podman run --rm -it --uidmap '1000:1000' -v /tmp/example:/tmp/example:Z alpine
Error: container uses ID mappings ([]specs.LinuxIDMapping{specs.LinuxIDMapping{ContainerID:0x1, HostID:0x0, Size:0x1}}), but doesn't map UID 0

Here's an example to illustrate mapping root in the container to host user ID 1000:

# As root user on host:
$ echo hello > /tmp/example/from-host-root.txt
$ echo hello > /tmp/example/from-host-my-user.txt
$ chown 1000:1000 /tmp/example/from-host-my-user.txt

# Start a container with root container user mapped to host user 1000:
$ podman run --rm -itd --name test --uidmap 0:1000 -v /tmp/example:/tmp/example:Z alpine
$ podman exec -it test ash
# The results of our `--uidmap 0:1000` is here (container ID 0, to host ID 1000, single ID mapping range):
$ cat /proc/self/uid_map
         0       1000          1

# Let's compare the ownership:
$ echo hello > /tmp/example/from-container-root.txt
$ stat -c '%U(%u):%G(%g) %n' /tmp/example/*
root(0):root(0) /tmp/example/from-container-root.txt
root(0):root(0) /tmp/example/from-host-my-user.txt
nobody(65534):nobody(65534) /tmp/example/from-host-root.txt

# Now on the host check ownership is set to UID 1000:
$ exit
$ stat -c '%U(%u):%G(%g) %n' /tmp/example/*
my-user(1000):my-user(1000) /tmp/example/from-container-root.txt
my-user(1000):my-user(1000) /tmp/example/from-host-my-user.txt
root(0):root(0) /tmp/example/from-host-root.txt

/etc/subuid was not used for this example, as there is no entry (nor a need for such) for the host root user which begins at 0.

If we instead use --uidmap 1000:1000 we are asking to map the container UID 1000 to host 1000 which is a bit redundant? You could make this work by having the container root user mapped too with --uidmap 0:0 --uidmap 1000:1000 but as mentioned this would be redundant:

# From within the container (this is redundant for rootful):
$ cat /proc/self/uid_map
         0          0          1
      1000       1000          1

Rootless

In a rootless container the mapping rules are a bit different the 2nd UIDMap value is an offset from the user in /etc/subuid, so 0 would refer to the rootless user, and anything after that is a container ID mapping to an a mapping in the /etc/subuid range:

# From the host:
$ cat /etc/subuid
my-user:524288:65536

Here my-user with UID of 1000 would be the equivalent of --uidmap 0:0 and --uidmap 0:1 would map the container root UID 0 to host UID 524288, the start of the /etc/subuid range for my-user, and each incremental increase here will just increase the number by 1, up to the 65536 range allowed.

That may not seem as intuitive though due to that level of indirection, so Podman has this syntax for rootless mapping that allows you get the relative offset like --uidmap 0:@1000 if run on the my-user account would match their UID to the host user entry in /etc/subuid, so the offset would be equivalent to 0 thus technically the same as --uidmap 0:0.

This @ syntax must match an ID to map from /etc/subuid, so in our example above the next UID after 1000 (my-user) would be 524288, so you wouldn't use @1001 but @524288, and that would be equivalent of --uidmap 0:1:

# No mapping for 1001 in /etc/subuid so it fails:
$ podman run --rm -it --uidmap '0:@1000' --uidmap '1:@1001' alpine
Error: parent ID UID 1001 is not mapped/delegated

# Next valid mapping for our my-user mappings:
$ podman run --rm -it --uidmap '0:@524288' alpine
$ cat /proc/self/uid_map
         0          1          1

Often you only need to map a specific container user to a host UID, in Quadlets for root this is UIDMap=+0:@%U, or via CLI podman run --uidmap "+0:@$(id -u)". The + doesn't do too much for root container UID, but if it was a higher UID, you still need to map the the root container user, and + "fills in the blanks", basically adding multiple --uidmap for you.

While you're not focused on rootless, I hope that makes it a bit more clearer about what's going on and clarifies the difference between rootful and rootless usage.

---

Solution

Ok, so you probably don't need User, just UIDMap and with correction to map as 0:1000? That should resolve it for you I think?

[Rivers47]

Ah, I know where my misunderstanding is... I thought podman always create a unique user namespace even when running rootful.. because the doc says

--uidmap Runs the container in a new user namespace using the supplied UID mapping

but apparantly when running as root every uid is mapped "as is".
What I thought podman was doing would've been true if I used sudo podman run --userns=auto ...

What I wanted to achieve is to use the same normal user in and outside of the container as is but prevent root inside the container to act as root outside. This can be achieved by --userns=auto:uidmapping=1000:1000,gidmapping=1000:1000.

...This is probably too complicated so please correct me if this doesn't actually add any, if at all, security.

[polarathene]

A container root is generally not equivalent to root on the host as capabilities are far less. You can use a non-root user if that works for you but it seems rather redundant to map a container ID of 1000 to a host ID of 1000 when that wouldn't change anything?

I showed with commands to reproduce how the ownership is mapped both from the container and outside it. If you don't want to map between different container vs host ID you don't need the mapping?

Otherwise just UIDMap=0:1000 or User=1000, but not both should work for you?

---

What I wanted to achieve is to use the same normal user in and outside of the container as is but prevent root inside the container to act as root outside.

• If the container does not need to run the process/service as root, you use --user / User= so long as it doesn't attempt to switch users at startup (which effectively accomplishes the same internally without your involvement)
• If you want the container root to not write files external of the container as root, and for those external files to appear as root in the container, you'd use --uidmap / UIDMap=.
• If you want to restrict what the root user in the container could do, you can drop capabilities to the bare minimum required (if any). That's not always straightforward though and may require some testing/troubleshooting to identify what capabilities are needed for a service if they weren't expressed via setcap or documented somewhere.

Other than that doesn't matter much IIRC even non-root users have been able to escape containers in the past depending on context.

[Rivers47]

Yes, it came up that way because when using rootless podman I always use UserNS=keep-id (which is about the same as UIDMap=1000:1000) and User=1000.

[polarathene]

when using rootless podman I always use UserNS=keep-id (which is about the same as UIDMap=1000:1000) and User=1000.

Not quite, here's a brief overview of differences with a larger example to demonstrate:

• --userns keep-id:
  • It will add your rootless user into the container /etc/passwd + /etc/group files.
  • It also implicitly sets --user to your host user. This is ok, but only when the container doesn't require running internally as root for permissions, or doesn't try to later switch to a non-root user internally for security reasons.
  • It does not make much sense for rootful vs just using --user 0:0 (assuming the container user doesn't already start as root by default).
  • Thus it is kinda convenient but rather situational. Compared to --uidmap you can check cat /proc/self/uid_map to see it's effectively doing --uidmap "+0:@$(id -u)" (the + and @ are explained down below).
• --uidmap 1000:1000:
  • Useful when you only care about ownership for a container ID being different on the host side of the bind mount volume.
  • Rootful: Redundant since there is no mapping change.
  • Rootless: This will take the 1000th ID (technically 1001 since we start at 0) from the rootless user entry in /etc/subuid - which won't be your actual rootless user host UID (it'll actually be something like 525287 on the host instead).
  • As explained, --uidmap is a subset of what --userns keep-id does - but you have full control over what the --uidmap value is configured as. In this case you misunderstood what the equivalent --uidmap value was (totally ok, this confused me plenty at first too).

You cannot use the two together explicitly.

Rootless example for --uidmap

• With rootful --uidmap is quite straight-forward, the --uidmap <container-id>:<host-id> mapping is explicit.
• With rootless we deal with /etc/subuid for mapping <host-id> as an offset. That can get more confusing so hopefully this demonstrates it clearly.

For example, with this on the host:

$ ls -ln /tmp/example
-rw-r--r--. 1 1001 1001 6 Oct 30 13:34 from-host-my-user.txt
-rw-r--r--. 1    0    0 6 Oct 30 13:34 from-host-root.txt

$ id -u
1001
$ cat /etc/subuid
my-user:524288:65536

But in the container itself (as a rootless user 1001):

$ podman run --rm -it -v /tmp/example:/tmp/example:Z --uidmap 0:0 --uidmap 1001:1001 alpine
$ ls -ln /tmp/example
-rw-r--r--    1 0        0                6 Oct 30 00:34 from-host-my-user.txt
-rw-r--r--    1 65534    65534            6 Oct 30 00:34 from-host-root.txt

$ cat /proc/self/uid_map
         0          0          1
      1001       1001          1

• --uidmap 0:0 says map container root to my rootless user (0 is the first ID offset from /etc/subuid for my rootless user, then it'll jump to 524288 from an offset of 1 and increment by 1 from there onwards, up to the range configured in /etc/subuid).
  • This is why the from-host-my-user.txt is my rootless user on the host, but appears as root in the container, because of --uidmap 0:0.
• On the container we have 65534 (aka nobody) as there was no mapping for the host UID 0 to the container UID 0.
  • It would overlap with the container root ID mapping to a host ID - but also it is not within the bounds of our /etc/subuid so we can't really map that into the container.
  • There shouldn't be UID ownership on the host side for files that do not belong to your rootless user ID (or their /etc/subuid range, 524288 --> 589822).

1001 relative offset vs @ prefix with the host ID

--uidmap 1001:1001 has no effect here because there was no container UID 1001 in use, and the host volume doesn't have a file with a UID of the relative 1001 offset via /etc/subuid (525288 in this case, effectively 524288 + (1001 - 1) == 525288).

Let's demonstrate that:

# Within that same alpine container:
$ echo hello > /tmp/example/from-container-1001.txt
$ chown 1001:1001 /tmp/example/from-container-1001.txt

$ ls -ln /tmp/example
-rw-r--r--    1 1001     1001             6 Oct 30 00:55 from-container-1001.txt
-rw-r--r--    1 0        0                6 Oct 30 00:34 from-host-my-user.txt
-rw-r--r--    1 65534    65534            6 Oct 30 00:34 from-host-root.txt

# Now verify ownership on the host:
$ exit
$ ls -ln /tmp/example
-rw-r--r--. 1 525288 525288 6 Oct 30 13:55 from-container-1001.txt
-rw-r--r--. 1   1001   1001 6 Oct 30 13:34 from-host-my-user.txt
-rw-r--r--. 1      0      0 6 Oct 30 13:34 from-host-root.txt

If you'd like to target your rootless UID on the host, or any UID within it's /etc/subuid range, you don't need to know the exact offset, but can refer to the host ID with a prefix of @, so in this case:

• --uidmap 0:@1001 would be equivalent to --uidmap 0:0
• --uidmap 1001:1001 would be equivalent to --uidmap 1001:@525288

---

nobody and using the + prefix with the container ID

The nobody / 65534 ownership can be mapped explicitly to whatever valid value in /etc/subuid, or we can instruct podman to "fill" the mapped range with + prefix on the container ID with --uidmap +0:0.

Let's see this in action:

# Notice how `+0:0` here has covered the rest of `/etc/subuid` range,
# where `--uidmap 1001:1001` is redundant as it's covered in that range:
$ podman run --rm -it -v /tmp/example:/tmp/example:Z --uidmap +0:0 --uidmap 1001:1001 alpine
$ cat /proc/self/uid_map
         0          0          1
         1          1      65536

# Add a new file in the container with ownership of nobody (65534)
$ echo hello > /tmp/example/from-container-nobody.txt
$ chown nobody:nobody /tmp/example/from-container-nobody.txt

# In the container we now have two files with the same ownership for 65534:
$ ls -ln /tmp/example
-rw-r--r--    1 1001     1001             6 Oct 30 00:55 from-container-1001.txt
-rw-r--r--    1 65534    65534            6 Oct 30 01:12 from-container-nobody.txt
-rw-r--r--    1 0        0                6 Oct 30 00:34 from-host-my-user.txt
-rw-r--r--    1 65534    65534            6 Oct 30 00:34 from-host-root.txt

# Now on the host there is a distinction, see the /etc/subuid mapping was used:
# | 65534 - 1 (the first ID, aka 524288 on host) = 65533
# | 524288 + 65533 = 589821 (this is the /etc/subuid base ID mapped with the relative offset from 1)
$ exit
$ ls -ln /tmp/example
-rw-r--r--. 1 525288 525288 6 Oct 30 13:55 from-container-1001.txt
-rw-r--r--. 1 589821 589821 6 Oct 30 14:12 from-container-nobody.txt
-rw-r--r--. 1   1001   1001 6 Oct 30 13:34 from-host-my-user.txt
-rw-r--r--. 1      0      0 6 Oct 30 13:34 from-host-root.txt

[eriksjolund]

Regarding the original problem described in #24384 (comment)

It works when I add an addtional UIDMap=0:999

1. sudo mkdir /srv/test
2. sudo chmod 1000:1000 /srv/test
3. Create the file /tmp/test.sh containing

   #!/bin/bash
   set -o errexit
   set -o nounset
   id=$1
   extraconf=$2
   cat << EOF > /etc/containers/systemd/${id}.container
   [Container]
   ContainerName=${id}
   Image=docker.io/library/alpine
   User=1000:1000
   UIDMap=1000:1000
   ${extraconf}
   Volume=/srv/test:/config:Z
   Exec=/bin/touch /config/${id}
   EOF
   
   systemctl daemon-reload
   systemctl start ${id}.service
   ls -ln /srv/test/${id}
   

4. Run command

   sudo bash /tmp/test.sh test1 ""
   

   The following output is printed

   Job for test1.service failed because the control process exited with error code.
   See "systemctl status test1.service" and "journalctl -xeu test1.service" for details.
   

5. Run command

   sudo bash /tmp/test.sh test2 "UIDMap=0:999"
   

   The following output is printed

   -rw-r--r--. 1 1000 1000 0 Oct 29 07:13 /srv/test/test2
   

[polarathene]

It works when I add an addtional UIDMap=0:999

Yes as my answer mentioned, root user needs to be mapped to something. But --user 1000:1000 --uidmap 1000:1000 is rather redundant use of --uidmap.