UID mapping works for standalone container, but fails when using a pod

[radiojosh]

I am trying to run a rootless pgadmin container. My host user is 2012:2012. The user inside the container is 5050:0. The following command starts the container successfully:

podman run --name home_pgadmin01 --network home_management --uidmap 5050:@2012:1 --gidmap 0:@2012:1 --env PGADMIN_DEFAULT_EMAIL=<email>@gmail.com --env PGADMIN_DEFAULT_PASSWORD=<pass> --publish 8082:80/tcp --volume home_pgadmin01_var_lib_pgadmin:/var/lib/pgadmin --detach=True docker.io/dpage/pgadmin4:latest

If I try to run the container in a pod, the command fails:

podman pod create --uidmap 5050:@2012:1 --gidmap 0:@2012:1 --network home_management --publish 8082:80 --name home_pgadmin01

podman run --name home_pgadmin01 --network home_management --pod home_pgadmin01.pod --env PGADMIN_DEFAULT_EMAIL=<email>@gmail.com --env PGADMIN_DEFAULT_PASSWORD=<pass> --publish 8082:80/tcp --volume home_pgadmin01_var_lib_pgadmin:/var/lib/pgadmin --detach=True docker.io/dpage/pgadmin4:latest

ERRO[0000] Starting some container dependencies
ERRO[0000] "container uses ID mappings ([]specs.LinuxIDMapping{specs.LinuxIDMapping{ContainerID:0x13ba, HostID:0x0, Size:0x1}}), but doesn't map UID 0"
Error: starting some containers: internal libpod error

If I try to fix the issue, I get a different error:

podman pod create --uidmap 5050:@2012:1 --uidmap 0:1:1000 --gidmap 0:@2012:1 --network home_management --publish 8082:80 --name home_pgadmin01

podman run --name home_pgadmin01 --network home_management --pod home_pgadmin01.pod --env PGADMIN_DEFAULT_EMAIL=<email>@gmail.com --env PGADMIN_DEFAULT_PASSWORD=<pass> --publish 8082:80/tcp --volume home_pgadmin01_var_lib_pgadmin:/var/lib/pgadmin --detach=True docker.io/dpage/pgadmin4:latest

Error: OCI runtime error: crun: mount `devpts` to `dev/pts`: Invalid argument

I saw some articles related to the "devpts" error, stating that I needed to remap at least 65356 UIDs, but that gave me an error also. What is my best way forward?

[eriksjolund]

I'm able to reproduce the error message

Error: OCI runtime error: crun: mount `devpts` to `dev/pts`: Invalid argument

with this bash script that I think is more or less the same what you do

start1.sh

#!/bin/bash

set -o errexit
set -o nounset

host_uid=$(id -u)
host_gid=$(id -g)

container_uid=5050
container_gid=0

network=$1
pod=$2
port=$3
volume=$4
container=$5

password=not-a-safe-password
[email protected]

podman network create $network
podman volume create $volume

podman pod create \
     --uidmap ${container_uid}:@${host_uid}:1 \
     --uidmap 0:1:1000 \
     --gidmap ${container_gid}:@${host_gid}:1 \
     --network $network \
     --publish ${port}:80 \
     --name $pod

podman run \
     --name $container \
     --network $network \
     --pod $pod \
     --env PGADMIN_DEFAULT_EMAIL=$email \
     --env PGADMIN_DEFAULT_PASSWORD=$password \
     --publish ${port}:80/tcp \
     --volume ${volume}:/var/lib/pgadmin \
     --detach=True \
     docker.io/dpage/pgadmin4:latest

$ bash start1.sh test test 8082 test testcontainer
test
test
72584af5d795966308e10efc3d523470414f81d4ca935e71f59740bfb44b361f
Error: OCI runtime error: crun: mount `devpts` to `dev/pts`: Invalid argument

If I modify the bash script somewhat, the error goes away

--- start1.sh	2025-01-04 23:04:11.357711588 +0000
+++ start2.sh	2025-01-04 23:04:26.236928398 +0000
@@ -22,9 +22,8 @@
 podman volume create $volume
 
 podman pod create \
-     --uidmap ${container_uid}:@${host_uid}:1 \
-     --uidmap 0:1:1000 \
-     --gidmap ${container_gid}:@${host_gid}:1 \
+     --uidmap +${container_uid}:@${host_uid}:1 \
+     --gidmap +${container_gid}:@${host_gid}:1 \
      --network $network \
      --publish ${port}:80 \
      --name $pod
@@ -35,7 +34,6 @@
      --pod $pod \
      --env PGADMIN_DEFAULT_EMAIL=$email \
      --env PGADMIN_DEFAULT_PASSWORD=$password \
-     --publish ${port}:80/tcp \
      --volume ${volume}:/var/lib/pgadmin \
      --detach=True \
      docker.io/dpage/pgadmin4:latest

$ bash start2.sh test test 8082 test testcontainer
test
test
6078a89e476fde6a2cf60b19fe9fff829cf8931d64e10827306d00b2b69bc0da
65292767cd5fb32b5b841bf1e5f8184b59efa1598db3528796b88af19b55d3a0

start2.sh

Click me

#!/bin/bash

set -o errexit
set -o nounset

host_uid=$(id -u)
host_gid=$(id -g)

container_uid=5050
container_gid=0

network=$1
pod=$2
port=$3
volume=$4
container=$5

password=not-a-safe-password
[email protected]

podman network create $network
podman volume create $volume

podman pod create \
     --uidmap +${container_uid}:@${host_uid}:1 \
     --gidmap +${container_gid}:@${host_gid}:1 \
     --network $network \
     --publish ${port}:80 \
     --name $pod

podman run \
     --name $container \
     --network $network \
     --pod $pod \
     --env PGADMIN_DEFAULT_EMAIL=$email \
     --env PGADMIN_DEFAULT_PASSWORD=$password \
     --volume ${volume}:/var/lib/pgadmin \
     --detach=True \
     docker.io/dpage/pgadmin4:latest

[radiojosh]

Ok, that totally fixed the issue. No more error with + in front of the container UID. Now I just have to figure out why the volume _data directory and its parent aren't owned by my user "home" (2012:2012), which seems to be a separate issue (and was also an issue before):

Commands:

[home@dev01 volumes]$ podman pod create --uidmap +5050:@2012:1 --network home_management --publish 8082:80 --name home_pgadmin01
9f8ab5663686f9fbef95edd6f6e8a78adaeb5179515afed3e5db03db5d873f65

[home@dev01 volumes]$ podman run --name home_pgadmin01 --network home_management --pod home_pgadmin01 --env PGADMIN_DEFAULT_EMAIL=<email>@gmail.com --env PGADMIN_DEFAULT_PASSWORD=<pass> --volume home_pgadmin01_var_lib_pgadmin:/var/lib/pgadmin:U,Z --detach=True docker.io/dpage/pgadmin4:latest
293ea62d6c3adcb27156f084ce45921c4d90b2fdd7b5764de380ba5f4dd102f9

Host user sees _data folder (..) owned by 296608

sudo ls -larth home_pgadmin01_var_lib_pgadmin/_data
total 188K
drwx------. 3 296608 home 4.0K Jan  5 16:55 ..
drwxr-xr-x. 2 home   home 4.0K Jan  5 16:56 storage
drwxr-xr-x. 2 home   home 4.0K Jan  5 16:56 azurecredentialcache
-rw-------. 1 home   home 164K Jan  5 16:56 pgadmin4.db
drwxrwxr-x. 5 301657 home 4.0K Jan  5 16:56 .
drwx------. 2 home   home 4.0K Jan  5 16:56 sessions

Unshare sees the _home folder (..) owned by bin

[home@dev01 volumes]$ podman unshare ls -larth home_pgadmin01_var_lib_pgadmin/_data
total 188K
drwx------. 3 bin  root 4.0K Jan  5 16:55 ..
drwxr-xr-x. 2 root root 4.0K Jan  5 16:56 storage
drwxr-xr-x. 2 root root 4.0K Jan  5 16:56 azurecredentialcache
-rw-------. 1 root root 164K Jan  5 16:56 pgadmin4.db
drwxrwxr-x. 5 5050 root 4.0K Jan  5 16:56 .
drwx------. 2 root root 4.0K Jan  5 16:56 sessions

Container sees everything correct:

/var/lib/pgadmin $ ls -larth
total 192K
drwxr-xr-x    1 root     root        4.0K Dec  9 12:53 ..
drwxr-xr-x    2 pgadmin  root        4.0K Jan  5 23:05 storage
drwxr-xr-x    2 pgadmin  root        4.0K Jan  5 23:05 azurecredentialcache
-rw-------    1 pgadmin  root      164.0K Jan  5 23:06 pgadmin4.db
drwxr-xr-x    5 pgadmin  root        4.0K Jan  5 23:06 .
drwx------    2 pgadmin  root        4.0K Jan  5 23:06 sessions

[eriksjolund]

Now I just have to figure out why the volume _data directory and its parent aren't owned by my user "home" (2012:2012), which seems to be a separate issue (and was also an issue before):

Do you have a full reproducer?

When I run

 bash start2.sh test test 8082 test testcontainer

and check file ownership

$ podman unshare find ~/.local/share/containers/storage/volumes/test -not -group 0
$ podman unshare find ~/.local/share/containers/storage/volumes/test -not -user 0
$

I see that all files and directories are owned by the regular user on the host.
Another way to check this is

$ find ~/.local/share/containers/storage/volumes/test -not -user $(id -u)
$ find ~/.local/share/containers/storage/volumes/test -not -group $(id -g)
$ 

(but podman unshare find ... is better because it avoids permission denied problems)

Maybe you need to delete the volume and create it again?

podman volume rm home_pgadmin01_var_lib_pgadmin
podman volume create home_pgadmin01_var_lib_pgadmin

You could also try using a newly created directory and bind-mount it.

I think it's better not to use the U option. I've haven't seen any examples where it is required.
(Does anyone know of such examples?)

Instead of

 --volume home_pgadmin01_var_lib_pgadmin:/var/lib/pgadmin:U,Z 

use

 --volume home_pgadmin01_var_lib_pgadmin:/var/lib/pgadmin:Z 

or maybe use a bind-mounted directory

 --volume $HOME/pgadmin_data:/var/lib/pgadmin:Z 

(run mkdir $HOME/pgadmin_data beforehand)

If I remember correctly Podman treats a named volume and a bind-mounted directory differently in regards
to any chown() preparations.

Are there other containers running in the pod?
If you need different UID and GID mappings for the different containers, then it's not possible to run them in the same pod.