1

I'm trying to run a podman quadlet defined by a kubernetes YML file. I want it to run rootless in systemd under a web user on the host: systemctl --user status pod-web.

Inside the container, the PHP process is running under the 33:33 user. I want the /home/web/data directory on the host to be owned by the web user, but at the same time to be readable and writable by the 33:33 user inside the container, where it is mounted to /var/www/html.

In the comments, you can see some things I tried. Unfortunatelly, I don't understand the user namespaces and subuid/subgid enough to be able to make it work with the documentation and Copilot keeps halucinating, so any help from real people will be appreciated.

My problem is similar to this one, but I want to use a podman kube quadlet defined in a YML file.

Environment:

  • AlmaLinux release 9.4 (Seafoam Ocelot)
  • podman version 4.9.4-rhel
  • systemd 252 (252-32.el9_4.7)
  • SELinux enabled enforcing
  • chown -R web:web /home/web
  • usermod --add-subuids 100000-165535 --add-subgids 100000-165535 web

/home/web/pod-web.yml:

apiVersion: v1
kind: Pod
metadata:
  name: pod-web
#  annotations:
#    io.podman.annotations.userns: "keep-id"
spec:
  containers:
  - name: pod-web
    image: docker.io/library/php:8.3-apache
#    securityContext:
#      runAsUser: 33
#      runAsGroup: 33
#      supplementalGroups: [65536]
#    ports:
#    - containerPort: 80
#      hostPort: 8000
    volumeMounts:
    - mountPath: /var/www/html
      name: web-data
  volumes:
  - name: web-data
    hostPath:
      path: /home/web/data
  restartPolicy: Always

With runAsUser: 33 the container was logging:

(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80

With runAsUser: 0 the container seems to run, but it is a bad practice as it gives too many privileges if I understand it correctly.

/home/web/.config/containers/systemd/pod-web.kube:

[Unit]
Description=Podman Quadlet: %p

[Service]


ExecStartPre=/usr/bin/podman unshare -- /bin/bash -c 'chown -R 33:33 /home/web/data'


[Kube]
Yaml=/home/web/%p.yml
LogDriver=journald
#UserNS=keep-id:uid=33,gid=33
#UserNS=auto


[Install]
WantedBy=multi-user.target default.target
McLayn
  • 223

1 Answers1

1

This is what worked in the end:

  • chown -R web:web /home/web
  • usermod --add-subuids 100000-165535 --add-subgids 100000-165535 web

/home/web/pod-web.yml:

apiVersion: v1
kind: Pod
metadata:
  name: pod-web
spec:
  containers:
  - name: pod-web
    image: docker.io/library/php:8.3-apache
#    ports:
#    - containerPort: 80
#      hostPort: 8000
    volumeMounts:
    - mountPath: /var/www/html
      name: web-data
    securityContext:
      runAsUser: 33
      runAsGroup: 33
      capabilities:
        add: ["NET_BIND_SERVICE"]
  volumes:
  - name: web-data
    hostPath:
      path: /home/web/data
  restartPolicy: Always

/home/web/.config/containers/systemd/pod-web.kube:

[Unit]
Description=Podman Quadlet: %p

[Service]


[Kube]
Yaml=/home/web/%p.yml
LogDriver=journald
UserNS=keep-id:uid=33,gid=33
#GlobalArgs=--log-level=debug


[Install]
WantedBy=multi-user.target default.target
  • %p will be replaced with pod-web from the filename

Particularly, (13)Permission denied: AH00072: make_sock: could not bind to address was solved with securityContext:capabilities:add:["NET_BIND_SERVICE"]

McLayn
  • 223