Why is fuse-overlayfs mounting layers as root?

gabyx · March 26, 2024, 8:10pm

I have podman enabled like:

{
  lib,
  pkgs,
  ...
}: let
  toml = pkgs.formats.toml {};

  # containers storage settings.
  # Use fuse-overlayfs instead of kernel overlay2.
  storage-settings = {
    storage = {
      driver = "overlay";
      options.overlay = {
        mount_program = lib.getExe pkgs.fuse-overlayfs;
        mountopt = "nodev,fsync=0";
        force_mask = "shared";
      };
    };
  };
in {
  xdg.configFile."containers/storage.conf".source = toml.generate "storage.conf" storage-settings;
}

in homemanager
and in NixOS I enabled this:

# Podman ================================
  virtualisation.podman = {
    enable = true;

    # Required for containers under podman-compose to be able to talk to each other.
    defaultNetwork.settings.dns_enabled = true;

    # Auto prune podman resources.
    autoPrune = {
      dates = "weekly";
      flags = ["--external"];
    };
  };

# Extent the user `uid/gid` ranges to make podman work better.
  # This is for using https://gitlab.com/qontainers/pipglr
  users.extraUsers.${config.settings.user.name} = {
    subUidRanges = [
      {
        startUid = 100000;
        count = 10000000; # 65539;
      }
    ];
    subGidRanges = [
      {
        startGid = 100000;
        count = 10000000; # 65539;
      }
    ];
  };

I ran podman system reset and did rm -rf ~/.local/share/containers.
fuse-overlayfs is enabled when I inspect podman info.

When I run any image with a user, e.g. podman run --it --user podman quay.io/podman/stable:latest ls -alnd /home/podman I see that the home folder as root=0 and not podman=1000.
This happens with any image. Why is this? Its some misconfiguration of fuse-overlayfs?

Note: I am only using fuse-overlayfs to test out some nesting container stuff

Any help appreciated.

Kiskae · March 28, 2024, 7:51pm

You’re probably running into a feature of user namespaces; your user id gets mapped to the user id 0 inside containers, making them appear as root. But if you create a file inside your container and then check the same file on your host, it will be owned by your user file.

Keep in mind that the names shown by ls are mapped using the /etc/passwd file INSIDE your container, so unless that contains a definition for a podman user it will never show any file as owned by “podman”

gabyx · March 28, 2024, 8:45pm

Thanks, actually I am aware of user-namespace and stuff, maybe not indepth. I think it might not be the problem but related to fuse etc??

But when I dont use fuse-overlayfs and the kernel overlayfs instead, the command podman run -it --user podman quay.io/podman/stable:latest ls -aldn /home/podman show the corrent user 1000 (podman). Its quite strange. I dont understand it?