A different behavior about non-root user's volume mount

[junaruga]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I am not sure if this is a bug.
There is a different behavior to use podman -v HOST_DIR:CONTAINER_DIR for created VOLUME in Dockerfile between podman and docker.
This is important use case for me because the use case is used to run a source code in container with same user on host such as running mounted unit tests in the container.
If the root user runs the unit test in container, the host's mounting directory is updated by root user. That's not good.
The Dockerfile and steps I showed are not a minimal reproducer. I wanted to show actual use case to use non-root user's files in a volume mount directory.
Thank you.

Steps to reproduce the issue:

1. Prepare below Dockerfile on the current directory.

$ cat Dockerfile 
FROM registry.fedoraproject.org/fedora-minimal
ARG USER_NAME
ARG USER_ID
ARG GROUP_NAME
ARG GROUP_ID

RUN groupadd -g "${GROUP_ID}" "${GROUP_NAME}"
RUN useradd -m -u "${USER_ID}" -g "${GROUP_NAME}" "${USER_NAME}"
RUN id "${USER_ID}"
RUN mkdir /work
RUN chown -R "${USER_NAME}:${GROUP_NAME}" /work
VOLUME ["/work"]

2. Run below command.

$ podman build --rm \
  --build-arg USER_NAME=$(id -un) \
  --build-arg USER_ID=$(id -u) \
  --build-arg GROUP_NAME=$(id -gn) \
  --build-arg GROUP_ID=$(id -g) \
  -t sample . 
$ podman run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" sample ls -l

Describe the results you received:

$ podman run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" sample ls -l
Error: conflict at mount destination /work: duplicate mount destination

Describe the results you expected:

The command outputs "non-root user"'s file in the volume directory.

$ podman run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" sample ls -l
total 4
-rw-rw-r-- 1 jaruga jaruga 314 Jun 25 19:19 Dockerfile

Additional information you deem important (e.g. issue happens only occasionally):

In case of docker as a comparison

$ docker --version
Docker version 18.09.5, build e8ff056

$ docker build --rm \
  --build-arg USER_NAME=$(id -un) \
  --build-arg USER_ID=$(id -u) \
  --build-arg GROUP_NAME=$(id -gn) \
  --build-arg GROUP_ID=$(id -g) \
  -t sample .

$ docker run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" sample ls -l
total 4
-rw-rw-r-- 1 jaruga jaruga 314 Jun 25 19:19 Dockerfile

In case of podman with "--image-volume=tmpfs"

The command shows "root user"'s file in the volume directory.
This is not what I intent. I referred #3174 (comment) .

$ podman run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" --image-volume=tmpfs sample ls -ltotal 4
-rw-rw-r-- 1 root root 314 Jun 25 19:19 Dockerfile

Output of podman version:

$ podman version
Version:            1.3.1
RemoteAPI Version:  1
Go Version:         go1.12.2
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.12.2
  podman version: 1.3.1
host:
  BuildahVersion: 1.8.2
  Conmon:
    package: podman-1.3.1-1.git7210727.fc30.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: c9a4c48d1bff85033b7fc9b62d25961dd5048689'
  Distribution:
    distribution: fedora
    version: "30"
  MemFree: 432410624
  MemTotal: 8030162944
  OCIRuntime:
    package: containerd.io-1.2.5-3.1.fc29.x86_64
    path: /usr/sbin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
      spec: 1.0.1-dev
  SwapFree: 7758245888
  SwapTotal: 8053059584
  arch: amd64
  cpus: 4
  hostname: unused-4-164.brq.redhat.com
  kernel: 5.0.10-300.fc30.x86_64
  os: linux
  rootless: true
  uptime: 533h 11m 57.15s (Approximately 22.21 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/jaruga/.config/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mount_program=/usr/bin/fuse-overlayfs
  GraphRoot: /home/jaruga/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 50
  RunRoot: /run/user/28707
  VolumePath: /home/jaruga/.local/share/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.):

My local laptop Fedora 30.

[rhatdan]

@mheon Was this fixed in your rework on volumes? Potentially fixed in 1.4.2?

[mheon]

This one is a bug in that rework, actually - fixed in 1.3.2 (plus 1.4.0 and later).

[junaruga]

Thanks for the checking.
In the podman 1.4.2, there is no error.
But the file's owner and group is "root". It needs to be "jaruga". That is different from docker.
Can you reopen?

$ podman version
Version:            1.4.2
RemoteAPI Version:  1
Go Version:         go1.12.5
OS/Arch:            linux/amd64

$ ls -l Dockerfile 
-rw-rw-r-- 1 jaruga jaruga 314 Jun 25 21:19 Dockerfile

$ podman build --rm \
  --build-arg USER_NAME=$(id -un) \
  --build-arg USER_ID=$(id -u) \
  --build-arg GROUP_NAME=$(id -gn) \
  --build-arg GROUP_ID=$(id -g) \
  -t sample . 

$ podman run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" sample ls -l
total 4
-rw-rw-r-- 1 root root 314 Jun 25 19:19 Dockerfile

$ podman run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" sample ls -dl /work
drwxrwxr-x 2 root root 4096 Jun 25 19:21 /work

In case of the docker

$ docker run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" sample ls -l
total 4
-rw-rw-r-- 1 jaruga jaruga 314 Jun 25 19:19 Dockerfile

$ docker run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" sample ls -dl /work
drwxrwxr-x 2 jaruga jaruga 4096 Jun 25 19:21 /work

[mheon]

Try with --userns=keep-id Rootless containers map the UID of the user that ran the container to root without it.

…

On Wed, Jun 26, 2019, 09:58 Jun Aruga ***@***.***> wrote: Thanks for the checking. In the podman 1.4.2, there is no error. But the file's owner and group is "root". It needs to be "jaruga". That is different from docker. Can you reopen? $ podman version Version: 1.4.2 RemoteAPI Version: 1 Go Version: go1.12.5 OS/Arch: linux/amd64 $ ls -l Dockerfile -rw-rw-r-- 1 jaruga jaruga 314 Jun 25 21:19 Dockerfile $ podman build --rm \ --build-arg USER_NAME=$(id -un) \ --build-arg USER_ID=$(id -u) \ --build-arg GROUP_NAME=$(id -gn) \ --build-arg GROUP_ID=$(id -g) \ -t sample . $ podman run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" sample ls -l total 4 -rw-rw-r-- 1 root root 314 Jun 25 19:19 Dockerfile — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3432>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AB3AOCFCJTXAL35H3H2WXNLP4NYZZANCNFSM4H3LWSJA> .

[junaruga]

@mairin thanks for the info. It works with "--userns=keep-id"! the option is podman specific feature right?

$ podman run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" --userns=keep-id sample ls -l
total 4
-rw-rw-r-- 1 jaruga jaruga 314 Jun 25 19:19 Dockerfile

$ docker run --rm -t -v $(pwd):/work -w /work -u "$(id -un)" --userns=keep-id sample ls -l
docker: --userns: invalid USER mode.
See 'docker run --help'.

[rhatdan]

Yes, since Docker does not use the User Namespace it does not support the field.
Basically rootless podman either creates the container with the USERUID as root by default or creates a container with the first UID in /etc/subuid as root inside of the container and the USERUID==USERUID inside of the container when run with --userns=keep-id