Podman Bind Mounts

podman(1) uses bind mounts to mount a host file or directory into a container.

Contents

  1. Podman Bind Mounts
    1. Mounts
      1. SELinux
      2. Permissions and Ownership

Mounts

The syntax for mounting a file or directory into a container is: 

docker run --detach --name=my-nginx \
  --mount type=bind,src=/absolute/path/to/web/root,dst=/usr/share/nginx/html,readonly,Z \
  --mount type=bind,src=/absolute/path/to/app/binary,dst=/app,readonly,Z \
  nginx:latest

Note that the host file or directory must exist; an error will be raised otherwise.

When a bind mount targets an existing and non-empty directory in a container, the contents of that directory are obscured.

SELinux

The Z label shown above is an SELinux policy label. It means that the mount is private to this container.

If a file or directory needs to be accessed by multiple containers, instead use the z label. If a shared resource is mounted with Z, only the final container mounting it will be able to access it.

Permissions and Ownership

The root user within a container effectively runs as the host user that created the container. All non-root users within the container effectively use some other mapped UID that does not exist on the host system.

If running podman(1) as a user and using bind mounts, it is necessary to carefully consider the ownership of those files and directories.

It is possible to calculate the UID that effectively will be used, based on the subuid range and the relevant UID within the container. For example, if the host user's range starts at 165536 and the relevant container UID is 999, then the files and directories could be chown(1)ed to 166534 (165536 - 1 + 999). But this is not the recommended approach.

Instead try: 

podman unshare chown 999:999 -R path/to/mount

podman unshare causes a command to be run in the podman(1) namespace.

CategoryRicottone

Podman/BindMounts (last edited 2023-04-06 14:30:02 by DominicRicottone)