mount directory to container won't work with podman

Question

As I have fedora I tried to run the nginx example from their tutorial, i don't get nginx to show any content.

When i run the this container:

podman run --name mynginx1 -p 8080:80 -d nginx

I get the Welcome to nginx! page.

But when i try to run the example with a directory mounted:

podman run --name mynginx2 \
  --mount type=bind,source=/home/simon/Dokumente/podman/nginx/content,target=/usr/share/nginx/html \
  -p 9080:80 -d nginx

I also get the Welcome to nginx! page, but I have an index.html file in that source directory.

What is the problem with that container?

Answer 1

Yes , indeed it's a SElinux issue as @harik , but disabling selinux is not a secure option, rather apply the Z flag when mounting the volume, this deals with applying the appropriate labels as mentioned here and also here

podman run --name mynginx2 \
  -v /home/simon/Dokumente/podman/nginx/content:/usr/share/nginx/html:Z \
  -p 9080:80 -d nginx

Answer 2

You can run the podman command with the --privileged flag to disable host isolation:

$ podman run --name mynginx2 --privileged \
  --mount type=bind,source=/home/simon/Dokumente/podman/nginx/content,target=/usr/share/nginx/html \
  -p 9080:80 -d nginx

From the podman man page:

--privileged=true|false

Give extended privileges to this container. The default is false.

By default, Podman containers are unprivileged (=false) and cannot, for example, modify parts of the operating system. This is because by default a container is only allowed limited access to devices. A "privileged" container is given the same access to devices as the user launching the container.

A privileged container turns off the security features that isolate the container from the host. Dropped Capabilities, limited devices, read-only mount points, Apparmor/SELinux separation, and Seccomp filters are all disabled.

Rootless containers cannot have more privileges than the account that launched them.

Answer 3

When we bind volume it loses permission to the path /usr/share/nginx/html. It happens because of SELinux enforcement.

mynginx1

root@f3fb6ece7eba:/usr/share/nginx/html# ls
50x.html  index.html

mynginx2

root@af0803674402:/usr/share/nginx/html# ls
ls: cannot open directory '.': Permission denied

Check the SELinux policy of the host which runs podman.

$ getenforce 
Enforcing

If it is in Enforcing mode change it to Permissive.

$ sudo setenforce 0
$ getenforce 
Permissive

Re-run the mynginx2 container, exec and access the contents of /usr/share/nginx/html

$ podman run --name mynginx2 --mount type=bind,source=/home/tc/q2,target=/usr/share/nginx/html -p 9080:80 -d nginx
7ff2bdfb7ccfc6f90a9bd7957b08e48ea72d7c2303d47d11a412c6c8601976b6
$ podman exec -it mynginx2 bash
root@7ff2bdfb7ccf:/# cd /usr/share/nginx/html/
root@7ff2bdfb7ccf:/usr/share/nginx/html# ls
index.html


$ curl -I -s 127.0.0.1:8080
HTTP/1.1 200 OK

$ curl -I 127.0.0.1:9080
HTTP/1.1 200 OK

Answer 4

When dealing with a mounted network drive, a pod and or a podman version < 4.0 (iirc all Ubuntu <20.10).

Pass --group-add keep-groups when running the container / pod.
I.e podman run -d -v /mnt/data:/data --group-add keep-groups

or in case of a pod where container con2 needs access to /mnt/data:

buildah bud -f Dockerfile -t doit
podman pod create -n podgroup
podman run -d --pod podgroup --name=con1 localhost/doit
podman run -d -v /mnt/data:/data --group-add keep-groups --pod podgroup --name con2 localhost/doit

Here it was not possible to pass --mount to podman pod create, so none of the presented solutions worked.
Hope this saves the fellow visitor a few hours of time.

Docs: https://docs.podman.io/en/v3.4.2/markdown/podman-run.1.html#configure-keep-supplemental-groups-for-access-to-volume