I'm trying to run a podman
quadlet defined by a kubernetes YML file.
I want it to run rootless in systemd
under a web
user on the host: systemctl --user status pod-web
.
Inside the container, the PHP process is running under the 33:33
user.
I want the /home/web/data
directory on the host to be owned by the web
user, but at the same time to be readable and writable by the 33:33
user inside the container, where it is mounted to /var/www/html
.
In the comments, you can see some things I tried. Unfortunatelly, I don't understand the user namespaces and subuid/subgid enough to be able to make it work with the documentation and Copilot keeps halucinating, so any help from real people will be appreciated.
My problem is similar to this one, but I want to use a podman kube
quadlet defined in a YML file.
Environment:
AlmaLinux release 9.4 (Seafoam Ocelot)
podman version 4.9.4-rhel
systemd 252 (252-32.el9_4.7)
- SELinux enabled enforcing
chown -R web:web /home/web
usermod --add-subuids 100000-165535 --add-subgids 100000-165535 web
/home/web/pod-web.yml
:
apiVersion: v1
kind: Pod
metadata:
name: pod-web
# annotations:
# io.podman.annotations.userns: "keep-id"
spec:
containers:
- name: pod-web
image: docker.io/library/php:8.3-apache
# securityContext:
# runAsUser: 33
# runAsGroup: 33
# supplementalGroups: [65536]
# ports:
# - containerPort: 80
# hostPort: 8000
volumeMounts:
- mountPath: /var/www/html
name: web-data
volumes:
- name: web-data
hostPath:
path: /home/web/data
restartPolicy: Always
With runAsUser: 33
the container was logging:
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
With runAsUser: 0
the container seems to run, but it is a bad practice as it gives too many privileges if I understand it correctly.
/home/web/.config/containers/systemd/pod-web.kube
:
[Unit]
Description=Podman Quadlet: %p
[Service]
# ExecStartPre=/usr/bin/podman unshare -- /bin/bash -c 'chown -R 33:33 /home/web/data'
[Kube]
Yaml=/home/web/%p.yml
LogDriver=journald
#UserNS=keep-id:uid=33,gid=33
#UserNS=auto
[Install]
WantedBy=multi-user.target default.target
This is what worked in the end:
chown -R web:web /home/web
usermod --add-subuids 100000-165535 --add-subgids 100000-165535 web
/home/web/pod-web.yml
:/home/web/.config/containers/systemd/pod-web.kube
:%p
will be replaced withpod-web
from the filenameParticularly,
(13)Permission denied: AH00072: make_sock: could not bind to address
was solved withsecurityContext:capabilities:add:["NET_BIND_SERVICE"]