Permission errors with chown during postgresql init

[maleadt]

I'm migrating a Docker set-up to Podman, and am encountering an issue with the PostgreSQL container doing a chown during initial set-up. I've got it minimized to:

❯ sudo mkdir /srv/postgresql
❯ sudo chown $USER /srv/postgresql

❯ podman run -it --volume /srv/postgresql:/var/lib/postgresql/data:z docker.io/library/ubuntu:latest bash -x -c 'chown ubuntu /var/lib/postgresql/data'
+ chown ubuntu /var/lib/postgresql/data
chown: changing ownership of '/var/lib/postgresql/data': Operation not permitted

... whereas if I put the postgresql data directory in my home folder, everything works fine:

❯ mkdir ~/postgresql

❯ podman run -it --volume /$HOME/postgresql:/var/lib/postgresql/data:z docker.io/library/ubuntu:latest bash -x -c 'chown ubuntu /var/lib/postgresql/data'
+ chown ubuntu /var/lib/postgresql/data

The data directory in /srv is accessible by my user, and /srv should be traversable by any user:

❯ ls -la / | grep srv
drwxr-xr-x   1 root root  744 Dec 17 15:03 srv/

Both directories are backed by a BTRFS subvolume:

❯ mount
/dev/nvme0n1p2 on /srv type btrfs (rw,relatime,compress=zstd:1,ssd,discard=async,space_cache,subvolid=280,subvol=/srv)
/dev/nvme0n1p2 on /home type btrfs (rw,relatime,compress=zstd:1,ssd,discard=async,space_cache,subvolid=257,subvol=/home)

This is on Debian Trixie, SELinux not configured (adding :Z or :z doesn't help), running podman 5.3.1.

I have run into similar issues in the past with containers that switch UIDs during start-up, which I've always resolved by forcing the UID to a well-known one (e.g. 1000) and adding UIDMap=+1000:@%U. But I don't think that's the issue here.

[rhatdan]

You have to deal with the user namespace. The $USER inside of the container is not matching the $USER outside of the container because of user namespace.

[maleadt]

What are you suggesting concretely, adding a uidmap that maps the UID inside of the container to the one outside? That doesn't seem very scalable; I'm simply pulling a container from the Docker library, not writing my own, so inspecting every container to see what the primary user's UID is and adding a hard-coded mapping would be pretty annoying.

What surprises me most, though, is that this works for one directory but not for another, despite both being seemingly identical. Can you explain that?

[rhatdan]

Directory being world writeable perhaps?

If you create a directory on your system that the user running Podman is not allowed to write to and his UIDs within their user namespace is not allowed to write to, then it will get permission denied. You could setup the directory such that it is world writeable or group writeable and then leak the group into the container.

[maleadt]

Ah, silly me, the difference is that the directory created in /srv using sudo is owned by the root group, while in my home directory it's owned by users which happens to map onto a valid GID within the container. PEBCAK...

Anyway, thanks for helping out.

[maleadt]

And for anybody running into this, adding UserNS=keep-id:uid=1000 to my quadlet "fixes" this. By not running with UID=0 in the container, the container doesn't try to chmod anymore. The UID map is necessary to make postgres happy (User=1000 doesn't suffice).