Podman version cannot access group directories
grst opened this issue · 0 comments
grst commented
When running rstudio in podman, in had the issue that I could not access project directories on our scientific storage to
which I have access based on my secondary user group only.
This is considered a "security feature" of podman. A solution is described in this articel by RedHat. In brief
- use the
crun
instead of therunc
runtime (installcrun
and edit~/.config/containers/containers.conf
) - run the container with
podman run --annotation run.oci.keep_original_groups=1 [...]
This appeared to work in principle (from a shell in the podman container I could access the group directory as expected),
but the rstudio process still got started with different permissions and didn't have access to the directory. I haven't yet figured out how to solve it (except by using Singularity instead (#13)).
Further issues:
- Due to a bug in podman 3.0.x, annotations are not read from
containers.conf
, making it impossible to pass the annotation to a container while usingpodman-compose
. This is allegedly fixed in 3.1, but that version is not available on Centos 7.