= Podman Bind Mounts = `podman(1)` uses '''bind mounts''' to mount a host file or directory into a container. <> ---- == Mounts == The syntax for mounting a file or directory into a container is: {{{ docker run --detach --name=my-nginx \ --mount type=bind,src=/absolute/path/to/web/root,dst=/usr/share/nginx/html,readonly,Z \ --mount type=bind,src=/absolute/path/to/app/binary,dst=/app,readonly,Z \ nginx:latest }}} Note that the host file or directory must exist; an error will be raised otherwise. When a bind mount targets an existing and non-empty directory in a container, the contents of that directory are obscured. === SELinux === The `Z` label shown above is an [[Linux/SELinux|SELinux]] policy label. It means that the mount is private to this container. If a file or directory needs to be accessed by multiple containers, instead use the `z` label. If a shared resource is mounted with `Z`, only the final container mounting it will be able to access it. === Permissions and Ownership === The `root` user within a container effectively runs as the host user that created the container. All non-`root` users within the container effectively use some other mapped UID that does not exist on the host system. If running `podman(1)` as a user and using bind mounts, it is necessary to carefully consider the ownership of those files and directories. It is ''possible'' to calculate the UID that effectively will be used, based on the [[Podman/Security#Rootless_Mode|subuid range]] and the relevant UID within the container. For example, if the host user's range starts at 165536 and the relevant container UID is 999, then the files and directories could be `chown(1)`ed to 166534 ''(165536 - 1 + 999)''. But this is ''not'' the recommended approach. Instead try: {{{ podman unshare chown 999:999 -R path/to/mount }}} `podman unshare` causes a command to be run in the `podman(1)` namespace. ---- CategoryRicottone