21

I am starting to learn about containers using podman that came with RHEL8.1 (which AFAIK can be used in place of docker), and have the following baby Dockerfile as a learning exercise:

# Use Alpine Linux base image FROM alpine:latest # Install pacakges RUN apk --no-cache add bash gcc make # Make a directory for source code RUN mkdir /src_dir # Set working directory to the same directory WORKDIR /src_dir # Set this directory as a volume VOLUME [ "/src_dir" ]

As you can see, I've installed the most basic gcc and make into this container with the goal of mounting a set of source files on my container host into the /src_dir directory within the container.

I next build the container image in the host directory containing the Dockerfile:

podman build -t my_image .

I then start the container with this command

podman run -it -v /host/foobar:/src_dir /bin/bash

Where /host/foobar/ on my host is an arbitrary directory containing some arbitrary source code, all of which my local user on the host has full read/write access to. For example, there is one file /host/foobar/test.c. This then brings me to a bash prompt inside the container. I can see that I'm at the correct place because:

bash-5.0# pwd /src_dir

However, I have absolutely no read/write access to /src_dir. Both ls -lh and cat test.c gave me permission denied errors. If I change to the root directory (or any other directory) of the container, I can see and access other things. Strangely, if I run ls -lh / I can see /src_dir as being owned by root:root, so I don't understand why as the container's root user I can't access anything in it.

I also tried podman inspect [container ID], and in the output I can see:

... "Mounts": [ { "Type": "bind", "Name": "", "Source": "/host/foobar", "Destination": "/src_dir", "Driver": "", "Mode": "", "Options": [ "rbind" ], "RW": true, "Propagation": "rprivate" } ] ...

Which suggests that there is read/write permission?

Perhaps I'm missing something obvious as a beginner, but what do I have to do so that I can run the gcc and make inside this container on the source files mounted in /src_dir so that the container essentially acts as a complete development environment?

Improve this question

3 Answers 3

Reset to default
30

Thanks to the people here, the solution is quite simple (but not obvious):

My GNU/Linux container host has SELinux activated, and that's why I was having permissions problems. The solution is to simply append a :z to the podman run volume argument so that this:

podman run -it -v /host/foobar:/src_dir /bin/bash

becomes this:

podman run -it -v /host/foobar:/src_dir:z /bin/bash

That's it.

Improve this answer
3
  • 3
    I 've spent so many hours trying to understand the cause of a similar error on my rpi4 running fedora iot, experimenting with linuxserver.io containers. Finally I understood the problem well enough that I was able to find this answer! Thank you! The following red hat post appears to have some more information redhat.com/sysadmin/user-namespaces-selinux-rootless-containers Commented Jan 11, 2021 at 21:53
  • The :z flag is not supported in Mac OS. Any suggestions on a fix for that host env? Commented Dec 8, 2023 at 19:27
  • @Jeremy but MacOS also doesn't run SELinux, does it? :z helps when the error is SELinux related, you likely have a different problem. Commented Mar 20, 2024 at 9:40
2

On macos the :z doesn't seems to do the trick :

$ podman run -it --rm -v .:/data:z alpine Error: preparing container 976...1f8 for attach: SELinux relabeling of /var/home/core is not allowed

But for some reason, using an absolute source path does:

$ podman run -it --rm -v `pwd`:/data alpine / # ls /data <... the files I expect ...>
Improve this answer
1
  • This. Thank you! Commented Jan 7 at 15:33
0

I ran into the same error with a user just running "podman ps -a". Since our home directories are NFS (and NFS does not play well with podman), we store the container images under /opt/container-images. In this case, turned out that /opt was at 100% usage. Hope this saves others time.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.