podman
podman copied to clipboard
containers
Cannot see a Fuse Mount from all containers of a same pod
Issue Description
When running multiple containers in one POD; When one container mount a fuse-related mount inside the Pod's volume, the content of the mount is visible within only the container that did the mount.
Steps to reproduce the issue
Steps to reproduce the issue
- create a regular pod (root or rootless does not seem to make any difference) with a named volume in /mymount
- start a container inside this pod which 1) create a directory /mymount/fuse and run "sshfs" command to mount a fuse mount on /mymount/fuse
- start another container inside the pod to make sure the mounted volume is available inside /mymount/fuse
Describe the results you received
The second container :
- Sees /mymount/fuse directory
- Does not see /mymount/fuse content
Describe the results you expected
The second container should see the content of /mymount/fuse
podman info output
host:
arch: amd64
buildahVersion: 1.35.1
cgroupControllers:
- cpu
- memory
- pids
cgroupManager: cgroupfs
cgroupVersion: v2
conmon:
package: Unknown
path: /usr/local/libexec/podman/conmon
version: 'conmon version 2.1.10, commit: '
cpuUtilization:
idlePercent: 99.99
systemPercent: 0.01
userPercent: 0
cpus: 10
databaseBackend: sqlite
distribution:
codename: bookworm
distribution: debian
version: "12"
eventLogger: file
freeLocks: 2016
hostname: bookworm
idMappings:
gidmap:
- container_id: 0
host_id: 1001
size: 1
- container_id: 1
host_id: 165536
size: 65536
uidmap:
- container_id: 0
host_id: 1001
size: 1
- container_id: 1
host_id: 165536
size: 65536
kernel: 6.1.0-20-amd64
linkmode: dynamic
logDriver: k8s-file
memFree: 9819537408
memTotal: 10426384384
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: Unknown
path: /usr/lib/podman/aardvark-dns
version: aardvark-dns 1.10.0
package: Unknown
path: /usr/lib/podman/netavark
version: netavark 1.10.3
ociRuntime:
name: crun
package: Unknown
path: /usr/bin/crun
version: |-
crun version 1.14.4
commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
rundir: /tmp/storage-run-1001/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
pasta:
executable: /usr/local/bin/pasta
package: Unknown
version: |
pasta 2024_02_20.1e6f92b
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: false
path: /tmp/storage-run-1001/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: ""
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 0
swapTotal: 0
uptime: 90h 34m 29.00s (Approximately 3.75 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /home/kguay/.config/containers/storage.conf
containerStore:
number: 13
paused: 0
running: 0
stopped: 13
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/kguay/.local/share/containers/storage
graphRootAllocated: 20956397568
graphRootUsed: 2269433856
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 4
runRoot: /tmp/storage-run-1001/containers
transientStore: false
volumePath: /home/kguay/.local/share/containers/storage/volumes
version:
APIVersion: 5.0.0
Built: 1711351374
BuiltTime: Mon Mar 25 07:22:54 2024
GitCommit: e71ec6f1d94d2d97fb3afe08aae0d8adaf8bddf0
GoVersion: go1.22.1
Os: linux
OsArch: linux/amd64
Version: 5.0.0
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting
Containers in a pod do not share the mount namespace (and that is not even possible with OCI containers), so you need to handle that by yourself.
Have you tried specifying the :[r]shared mount option for the volume mount where the fuse mount will be done?
Thx Giuseppe, I am indeed using rshared.
Having made more tests it turns out that this is not working ony in a rootless scenario.
Here are a steps I am following in rootful:
-
create a new pod podman pod create --volume namedvolumes/mymount --device /dev/fuse podshared
-
run a new container inside this pod podman run --cap-add SYS_ADMIN -it --rm --pod podshared docker.io/alpine /bin/sh sshfs <@>:/tmp /mymount
-
running a new container inside the pod podman run --cap-add SYS_ADMIN -it --rm --pod podshared docker.io/alpine /bin/sh ls /mymount ---> I can see the same content as in container number 1
When running this in rootless, the only difference is when running the container, where I am passing the map-gw to be able to run my sshfs command to.
podman run --cap-add SYS_ADMIN -it --rm --network pasta:--map-gw --pod podshared docker.io/alpine /bin/sh
In that scenario, container number 2 does not see the content of /mymount
rootless cannot propagate mounts to the host mount namespace.
What you can try to do is to use podman unshare to join the user+mount namespace used for the rootless environment and make sure the mounts there are shared. What do you get with podman unshare findmnt -o TARGET,PROPAGATION -R /. If you see private,slave then please fix it with podman unshare mount --make-rshared /
A friendly reminder that this issue had no activity for 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
