sub:Podman

sub:Podman

February 13, 2025

Content #

Log Driver(Podman)

Quadlet #

用下面的命令检查container文件的格式是否正确:

/usr/libexec/podman/quadlet --dryrun

User Namespace #

In your container, the Apache Web Server process (httpd) is run as the apache (UID==60) user. The html directory in your home directory is owned by your UID, meaning it is owned by root inside the container.

In rootless containers, the UIDs of the container are offset by the user namespace. My user namespace mapping looks like this:

$ podman unshare cat /proc/self/uid_map
       0     3267      1
       1   100000    65536

The UID==0 inside the container is my UID 3267, and UID 1==100000, UID 2==10000 … UID60==100059, meaning I need to set the ownership of the html directory to 100059.

I can do this fairly simply, using the podman unshare command, as follows:

$ podman unshare chown 60:60 ./html

U command option #

The mariadb image is another example of this; it runs with the mysql user, UID=999:

$ podman run docker.io/mariadb grep mysql /etc/passwd
mysql:x:999:999::/home/mysql:/bin/sh

If you created a volume to be used for the database, you need to figure out what UID=999 mapped to within the user namespace. On my system this is UID=100998.

Podman supplies the U command option for this exact situation. The U option tells Podman to recursively change ownership (chown) the source volume to match the default UID the container executes with.

Try it out by first creating the directory for the database. Notice the directory in the home directory is owned by your user:

$ mkdir mariadb
$ ls -ld mariadb/
drwxrwxr-x. 1 dwalsh dwalsh 0 Oct 23 06:55 mariadb/

Now run the mariadb container with the –user mysql, and bind mount the ./mariadb directory to /var/lib/mariadb with the :U option. Notice that the directory is now owned by the mysql user:

$ podman run --user mysql -v ./mariadb:/var/lib/mariadb:U \
    docker.io/mariadb ls -ld /var/lib/mariadb
drwxrwxr-x. 1 mysql mysql 0 Oct 23 10:55 /var/lib/mariadb

If you look at the mariadb directory on the host again, you will see that it is now owned by UID 100998 or whatever UID 999 maps to within your user namespace:

$ ls -ld mariadb/
drwxrwxr-x. 1 100998 100998 0 Oct 23 06:55 mariadb/

examine all the UIDs defined within the container image # 

podman exec --user root ldap /bin/bash -c "find / -mount -printf \"%U=%u\n\" | sort -un"

-mount: 表示只在当前文件系统中查找,不跨越挂载点(例如不进入挂载的其他磁盘或分区)。 -printf “%U=%u\n”: %U:文件的所有者用户ID(UID)。 %u:文件的所有者用户名。 %U=%u\n:输出格式为 UID=用户名,每个结果占一行。