slim image with podman: bind mounts not working

[twied]

Hi!

I am unable to get the "slim" docker image to work with podman on an x86_64 Debian 12:

$ podman --version
podman version 4.3.1

$ podman images
REPOSITORY                         TAG         IMAGE ID      CREATED       SIZE
docker.io/redimp/otterwiki         2-slim      4d26fea160e0  2 days ago    217 MB
docker.io/redimp/otterwiki         2           e98619cd18f6  3 weeks ago   460 MB

$ sudo rm -rf app-data ; mkdir app-data ; podman run -v ./app-data:/app-data docker.io/redimp/otterwiki:2-slim
mkdir: can't create directory '/app-data/repository': Permission denied

I don't think that's a SELinux issue:

$ sestatus
SELinux status:                 disabled

$ sudo rm -rf app-data ; mkdir app-data ; podman run -v ./app-data:/app-data:z docker.io/redimp/otterwiki:2-slim
mkdir: can't create directory '/app-data/repository': Permission denied

$ sudo rm -rf app-data ; mkdir app-data ; podman run -v ./app-data:/app-data:Z docker.io/redimp/otterwiki:2-slim
mkdir: can't create directory '/app-data/repository': Permission denied

Workaround: Use the non-slim image :-).

Let me know if there is any further information you require from me.

[redimp]

Hey @twied, thanks for reporting this! The documentation needs to be clearer here: This is kind of intended:

The -slim image is running as unprivilged user with the uid 33. The uid 33 has no permissions in your ./app-data so that the user in the slim image cannot create the '/app-data/repository' directory.

The default image is running as root with uid 0 and starts the uwsgi server with uid 33. But before it starts the uwsgi, it runs a mkdir and chown -R as uid 0 on '/app-data'.

With the default image setting up the directory with the permissions, you should be able to switch to the -slim image without any problems.

[redimp]

Add the Tip to the documentation: https://otterwiki.com/-/commit/17bbb0