pulp
The all in one docker container doesn't give me files on my filesystem I can't access
Migrated from https://pulp.plan.io/issues/6361
I experienced the same problem in two places when using the all_in_one image from this blog post: https://pulpproject.org/2020/03/15/pulp-fedora31-single-container/
I had run the commands from a new directory on my system /home/bmbouter/pulp_all_in_one/. Then when I try to run a backup which reads all files in my home directory as a user I received several errors:
One Error
One area was in the storage directory:
ListError: 'home/bmbouter/.local/share/containers/storage/overlay/454113ce0015f3f523dd7c49b2f25c3c9ec99464244d8e4f7941e7af01b75d3c/diff/usr/lib64/redis' [Errno 13] Permission denied: b'/home/bmbouter/.local/share/containers/storage/overlay/454113ce0015f3f523dd7c49b2f25c3c9ec99464244d8e4f7941e7af01b75d3c/diff/usr/lib64/redis'
ListError: 'home/bmbouter/.local/share/containers/storage/overlay/454113ce0015f3f523dd7c49b2f25c3c9ec99464244d8e4f7941e7af01b75d3c/diff/var/lib/pgsql' [Errno 13] Permission denied: b'/home/bmbouter/.local/share/containers/storage/overlay/454113ce0015f3f523dd7c49b2f25c3c9ec99464244d8e4f7941e7af01b75d3c/diff/var/lib/pgsql'
ListError: 'home/bmbouter/.local/share/containers/storage/overlay/454113ce0015f3f523dd7c49b2f25c3c9ec99464244d8e4f7941e7af01b75d3c/diff/var/lib/redis' [Errno 13] Permission denied: b'/home/bmbouter/.local/share/containers/storage/overlay/454113ce0015f3f523dd7c49b2f25c3c9ec99464244d8e4f7941e7af01b75d3c/diff/var/lib/redis'
ListError: 'home/bmbouter/.local/share/containers/storage/overlay/454113ce0015f3f523dd7c49b2f25c3c9ec99464244d8e4f7941e7af01b75d3c/diff/var/log/redis' [Errno 13] Permission denied: b'/home/bmbouter/.local/share/containers/storage/overlay/454113ce0015f3f523dd7c49b2f25c3c9ec99464244d8e4f7941e7af01b75d3c/diff/var/log/redis'
Second Error
The second area was in the working directory itself after I deleted the layers causing the first error.
ListError: 'home/bmbouter/pulp_all_in_one/pgsql' [Errno 13] Permission denied: b'/home/bmbouter/pulp_all_in_one/pgsql'
Related options (keep userns, SELinux label): https://github.com/pulp/pulp-openapi-generator/blob/main/generate.sh#L14
After discussion, I may decide to add a "single UID" mode to the container that would solve this.
However, this is the design of podman. It is desirable for security. If a user is not running podman without SELinux (e.g., they set it to permissive), and the processes in the container are compromised, then there is not much preventing the container processes from acting as the user on the system, a user that may have sudo, etc. "Containers do not contain". But if the daemons like pulp, postgres and nginx run as separate UIDs, then they are properly limited.