I am brand new to podman, and trying to understand something I have observed with permissions / UIDs.
I have created two podman named volumes as my non-root user (named qsd), one to be mounted in a rootless InfluxDB container and one for a rootless Grafana container:
$ podman volume create influxdb_volume
$ podman volume create grafana_volume
I can see that this creates two directories, and that upon creation they are all owned by me:
$ tree -pud -L 2 /home/qsd/.local/share/containers/storage/volumes/
/home/qsd/.local/share/containers/storage/volumes/
├── [drwx------ qsd ] grafana_volume
│ └── [drwxr-xr-x qsd ] _data
└── [drwx------ qsd ] influxdb_volume
└── [drwxr-xr-x qsd ] _data
Now I create the two containers, and mount each of the named volumes into the respective ones:
$ podman run -d --rm --name grafana_container --publish 3000:3000 --mount type=volume,source=grafana_volume,destination=/var/lib/grafana grafana
$ podman run -d --rm --name influxdb_container --publish 8086:8086 --mount type=volume,source=influxdb_volume,destination=/var/lib/influxdb influxdb:1.8
and I can now see two processes running on the host, one with owner 16007 and one as qsd:
$ ps -ef | grep "grafana server"
166007 162111 162101 1 12:57 ? 00:00:06 grafana server
$ ps -ef | grep influxd
qsd 162184 162174 0 12:57 ? 00:00:00 influxd
Now I think I understand why this is:
Even though the containers are run by me (non-root user qsd) the InfluxDB container runs inside as root (UID=0) and the Grafana container runs inside as user grafana (UID=472):
$ podman exec -it influxdb_container id
uid=0(root) gid=0(root) groups=0(root)
$ podman exec -it grafana_container id
uid=472(grafana) gid=0(root) groups=0(root)
I can see that the UID of my user is 1005:
$ id
uid=1005(qsd) gid=1005(qsd) groups=1005(qsd),100(users)
and the subuid file looks like this:
$ cat /etc/subuid
qsd:165536:65536
So, for my user qsd, I should have a mapping which starts at UID 165536 if I have a rootless container running a process as non-root. In the Grafana case, the UID on the host should appear as 165536 + 472 - 1 = 166007, as it does. In the InfluxDB case, the host sees it as simply qsd, because the process is running as root inside the container.
Now, what I don't understand is: why the InfluxDB name volume directory has changed itself to the following permissions (UID , GID = 166534) after the container has started up:
$ ls -ltr /home/qsd/.local/share/containers/storage/volumes/influxdb_volume/
total 0
drwxr-xr-x 5 166534 166534 41 Sep 11 12:58 _data
$ ls -ltr /home/qsd/.local/share/containers/storage/volumes/grafana_volume/
total 0
drwxrwxrwx 6 166007 qsd 77 Sep 11 13:12 _data
I would expect it to still be owned by qsd (as the process was running as qsd), because the container is running as root user inside. Where does this number 166534 come from, and why is it not qsd?
Also ,is there a better way to do this, rather than having the directory permssions changing to these other UID values?
Thank you!