3

I am trying to set up gitea using podman. I would like to have

  • the data volume mapped to a host directory, because it allows me to easily inspect and backup the data
  • the container process executed by a specific host user

Podman is executed by the root user, mostly because of the problems I had with podman generate systemd --new and rootless containers ( see systemd User= directive not supported, why? and support User= in systemd for running rootless services).

To achieve the mapping with rootfull containers started mapping all the in-use container uids and gids to the host's gitea user. I ended up with something like

podman run --rm \
    --uidmap=0:$(id -u gitea):1 \
    --gidmap=0:$(id -g gitea):1 \
    --uidmap=1000:$(id -u gitea):1 \
    --gidmap=1000:$(id -g gitea):1 \
    --gidmap=42:$(id -g gitea):1 \
    --volume /srv/gitea/data:/var/lib/gitea \
    docker.io/gitea/gitea:1.18.0-rc1-rootless

The output that I get is

WARN[0000] Path "/etc/SUSEConnect" from "/etc/containers/mounts.conf" doesn't exist, skipping 
WARN[0000] Path "/etc/zypp/credentials.d/SCCcredentials" from "/etc/containers/mounts.conf" doesn't exist, skipping 
Error: OCI runtime error: runc create failed: unable to start container process: can't get final child's PID from pipe: EOF

I succesfully ran other podman containers despite the path warnings, so I think they can be ignored.

I am running podman version 3.4.7 on openSUSE Leap 15.3 .

How can I run this container, while mapping all the in-use uids and gids to a specific host user/group?

Robert Munteanu
  • 1,694

1 Answers1

4

The root cause seems to have been trying to map multiple container uids ( and gids ) to the a single uid/gid to the host. So I was trying to map ( container to host ):

  • UID 0 → gitea
  • GID 0 → gitea
  • UID 1000 → gitea
  • GID 1000 → gitea
  • GID 42 → gitea

Instead I am know falling back to a different mapping, where just the 1000 UID/GID pair, the one actually running the Gitea app, is mapped to the host user, and others receive a different UID range using

    --uidmap=0:10000:999 \
    --gidmap=0:10000:999 \
    --uidmap=1000:$(id -u gitea):1 \
    --gidmap=1000:$(id -g gitea):1 \

This means that we have the following mappings

  • UIDs 0-999 → 10000-10999
  • GIDs 0-999 → 10000-10999
  • UID 1000 → gitea
  • GID 1000 → gitea

With this change, the container starts up successfully and the permissions on the host are as expected.

Robert Munteanu
  • 1,694