Podman version cannot access group directories

Question

Podman version cannot access group directories

grst opened this issue 3 years ago · 0 comments

When running rstudio in podman, in had the issue that I could not access project directories on our scientific storage to
which I have access based on my secondary user group only.

This is considered a "security feature" of podman. A solution is described in this articel by RedHat. In brief

use the crun instead of the runc runtime (install crun and edit ~/.config/containers/containers.conf)
run the container with podman run --annotation run.oci.keep_original_groups=1 [...]

This appeared to work in principle (from a shell in the podman container I could access the group directory as expected),
but the rstudio process still got started with different permissions and didn't have access to the directory. I haven't yet figured out how to solve it (except by using Singularity instead (#13)).

Further issues:

Due to a bug in podman 3.0.x, annotations are not read from containers.conf, making it impossible to pass the annotation to a container while using podman-compose. This is allegedly fixed in 3.1, but that version is not available on Centos 7.