Does podman-compose have a way to pass the "--userns keep-id" argument?

[coreyryanhanson]

If I add a line to a yaml to be read by podman-compose with "userns_mode: keep-id", it ignores it completely. I've tried a few variations like "userns: keep-id" (matching the podman command line argument), but every time the code generated to call the containers does not change. Is this argument not supported yet in podman-compose?

[pm98zz-c]

Only workaround I found is to set it in .bashrc/.zshrc:

export PODMAN_USERNS=keep-id

As per http://docs.podman.io/en/latest/markdown/podman-create.1.html for –userns, "It defaults to the PODMAN_USERNS environment variable."

That said, I then had other perms issues creating the container (container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:59: mounting "sysfs" to rootfs at "/sys" caused: operation not permitted: OCI runtime permission denied error), but that's off topic.

[miquecg]

I've been facing issues with permissions on volume mounts for Postgres containers. Basically some folder inside my $HOME that Postgres Dockerfile tries to chown inside the container. Passing --userns=keep-id apparently solves the problem but I cannot rely on the environment variable because then other services in the same docker-compose.yml fail when doing rm for instance, thus I need to manage them separatedly.

[muayyad-alsadi]

you can pass it using userns_mode: keep-id in the YAML

https://github.com/containers/podman-compose/blob/105c27c8dc902a72fcf1cd6784159b43fed6f808/podman_compose.py#L866

here is an example

https://github.com/containers/podman-compose/blob/devel/examples/nodeproj/docker-compose.yml#L17 https://github.com/containers/podman-compose/tree/devel/examples/nodeproj

the example out of the box passes UID from .env not keep-id

you can also put PODMAN_USERNS=keep-id in your .env because all PODMAN_* are passed

[miquecg]

I've just tried adding that line to a docker-compose.yml but it doesn't work for me, as @coreyryanhanson pointed out. podman-compose generates a podman create command which doesn't include the flag --userns=keep-id, so the only way to change this seems to be through the environment.

PODMAN_USERNS=keep-id podman-compose up database works perfectly.

[josharrington]

The userns_mode config in podman-compose has not yet been released, it was added after the latest 1.0.3 release.

[Igetin]

I have a compose file with two services. When using the devel branch and the userns: keep-id option in the services, I get the following error when running podman-compose up:

Error: --userns and --pod cannot be set together

(click here for full command output)

podman-compose version: 1.0.4
['podman', '--version', '']
using podman version: 4.3.1
** excluding:  set()
['podman', 'ps', '--filter', 'label=io.podman.compose.project=rtorrent-flood', '-a', '--format', '{{ index .Labels "io.podman.compose.config-hash"}}']
podman pod create --name=pod_rtorrent-flood --infra=false --share=
Error: adding pod to state: name "pod_rtorrent-flood" is in use: pod already exists
exit code: 125
podman volume inspect rtorrent-flood_rtorrent_scgi || podman volume create rtorrent-flood_rtorrent_scgi
['podman', 'volume', 'inspect', 'rtorrent-flood_rtorrent_scgi']
['podman', 'network', 'exists', 'rtorrent-flood_default']
podman create --name=rtorrent --pod=pod_rtorrent-flood --label io.podman.compose.config-hash=6db604d3f9ebcfb5e266cb0c09efa2ecb0dd0ea3f750f0457b30fc332b83ce8d --label io.podman.compose.project=rtorrent-flood --label io.podman.compose.version=1.0.4 --label [email protected] --label com.docker.compose.project=rtorrent-flood --label com.docker.compose.project.working_dir=/home/ige/rtorrent-flood --label com.docker.compose.project.config_files=compose.yaml --label com.docker.compose.container-number=1 --label com.docker.compose.service=rtorrent -v /home/ige/.config/rtorrent.rc:/home/rtorrent/.config/rtorrent/rtorrent.rc:z,ro -v rtorrent-flood_rtorrent_scgi:/home/rtorrent/.local/share/rtorrent/scgi -v /storage/merged/rtorrent_watch:/home/rtorrent/.local/share/rtorrent/watch -v /storage/merged/rtorrent_dl_test:/home/rtorrent/.local/share/rtorrent/download -v /home/ige/.local/state/rtorrent/session:/home/rtorrent/.local/share/rtorrent/.session:z --net rtorrent-flood_default --network-alias rtorrent -p 0.0.0.0:9779:9779/tcp --userns keep-id localhost/rtorrent:v0.9.8-r16
Error: --userns and --pod cannot be set together
exit code: 125
podman volume inspect rtorrent-flood_rtorrent_scgi || podman volume create rtorrent-flood_rtorrent_scgi
['podman', 'volume', 'inspect', 'rtorrent-flood_rtorrent_scgi']
['podman', 'network', 'exists', 'rtorrent-flood_default']
podman create --name=flood --pod=pod_rtorrent-flood --requires=rtorrent --label io.podman.compose.config-hash=6db604d3f9ebcfb5e266cb0c09efa2ecb0dd0ea3f750f0457b30fc332b83ce8d --label io.podman.compose.project=rtorrent-flood --label io.podman.compose.version=1.0.4 --label [email protected] --label com.docker.compose.project=rtorrent-flood --label com.docker.compose.project.working_dir=/home/ige/rtorrent-flood --label com.docker.compose.project.config_files=compose.yaml --label com.docker.compose.container-number=1 --label com.docker.compose.service=flood -v /storage/merged/rtorrent_dl_test:/home/rtorrent/.local/share/rtorrent/download -v rtorrent-flood_rtorrent_scgi:/home/rtorrent/.local/share/rtorrent/scgi --net rtorrent-flood_default --network-alias flood -p 127.0.0.1:8830:3000/tcp --userns keep-id -u 1000:1000 localhost/flood:v4.7.0
Error: --userns and --pod cannot be set together
exit code: 125
podman start -a rtorrent
Error: no container with name or ID "rtorrent" found: no such container
exit code: 125
podman start -a flood
Error: no container with name or ID "flood" found: no such container
exit code: 125

Is this a bug? It seems rather weird because PODMAN_USERNS=keep-id podman-compose up works as expected for the same services (when not using the userns option in the compose file).

[jasalt]

I'm trying to get Bitnami Odoo container https://github.com/bitnami/containers/blob/main/bitnami/odoo/15/debian-11/docker-compose.yml running on MacOS (Intel) here (Podman Remote with VM) and faced the same error as @Igetin. Workaround using environment variable does not work afaik with containers using different uid's.

podman version 4.4.2, podman-compose version: 1.0.4 (commit 08ffcf6)

podman create commands that podman-compose up run have the incompatible --pod argument which can be disabled however using --no-pod like this (devel branch):

podman-compose --no-pod up

I got a bit further while hitting some other errors now but that might be worth a try. Found it here https://github.com/containers/podman-compose/issues/442 by searching through the code.

EDIT:

It does indeed run and set the userns option properly with--no-pod so that I'm able to edit volume from the container.

Simple podman command that I try to run is podman run -d -v ./html:/var/www/html --userns=keep-id:uid=1001 -p 8080:8080 --name httpd-test-keepid registry.access.redhat.com/ubi8/httpd-24:latest and testing it with compose file:

version: '2'
services:
  httpd-test-keepid:
    image: registry.access.redhat.com/ubi8/httpd-24:latest
    volumes:
      './html:/var/www/html'
    ports: '8080:8080'
    userns_mode: keep-id:uid=1001

This is ending up with the same "--userns and --pod cannot be set together" error when running podman-compose up, but podman-compose --no-pod up works fine. I haven't learned pods so far and don't understand why podman-compose tries to use them default here.

[francoism90]

@jasalt Did you find any solution?

I'm having the same issue, userns_mode: keep-id:uid=1001 does nothing. I do not run the devel branch.

[Akruidenberg]

I have the same question.

[francoism90]

@Akruidenberg This seems to work for me:

version: '3.9'

services:
  app:
    build:
      context: ./app
      dockerfile: Dockerfile
    restart: on-failure
    user: ${UID:-1000}:${GID:-1000}
    working_dir: /src
    volumes:
      - ./src:/src:rw,z
    networks:
      - bridge
    depends_on:
      - mariadb
    x-podman:
      uidmaps:
        - "0:1:1"
        - "${UID:-1000}:0:1"
      gidmaps:
        - "0:1:1"
        - "${GID:-1000}:0:1"

Notice the x-podman.

[candleindark]

I think this issue should be closed. As of version 1.0.6 of podman-compose, the line of userns_mode: "keep-id" in a docker compose file just works fine.

[francoism90]

@candleindark The last time I checked, this results in a creation error (as it should only be used when the container should run).

@candleindark --userns and --pod cannot be set together, so no, this has not been fixed.

[AccaliaDeElementia]

Adding a +1 to this issue. userns_mode in a pod would absolutely fix all my woes with user mapping in rootless podman, none of the other user mapping solutions have worked perfectly like keep-id for userns_mode dows when not in a pod.

Is there anyone working on this error? --userns and --pod cannot be set together

If not, where should I be looking to get the right eyes on this? This is a multi year ticket that would be amazing if it was resolved.

[Igetin]

Podman-compose's development in general has been stale for quite time some now. I believe I read somewhere that they're planning to drop compose support at some point in favor of podman kube play. My suggestion would be to migrate to that, here's the documentation. The kube play command gained support for defining the userns option in the YAML a few months ago.

I've successfully switched my compose YAML stacks to the Kubernetes YAML format, so I can recommend it.