Skip to content

storage: Document force_mask UID 0 mapping requirement#742

Open
ipilcher wants to merge 2 commits intocontainers:mainfrom
ipilcher:force_mask_uidmap_doc
Open

storage: Document force_mask UID 0 mapping requirement#742
ipilcher wants to merge 2 commits intocontainers:mainfrom
ipilcher:force_mask_uidmap_doc

Conversation

@ipilcher
Copy link
Copy Markdown

@ipilcher ipilcher commented Apr 3, 2026

force_mask doesn't work in rootless mode when the container's UID 0 is mapped to something other than the host UID of the user running the container. This PR adds a note about this requirement to containers-storage.conf.5.md.

@ipilcher
storage: Document force_mask UID 0 mapping requirement
a6c6d77 
Signed-off-by: Ian Pilcher <arequipeno@gmail.com>
@github-actions github-actions bot added the storage Related to "storage" package label Apr 3, 2026
TomSweeneyRedHat
TomSweeneyRedHat reviewed Apr 3, 2026
View reviewed changes
@TomSweeneyRedHat
Copy link
Copy Markdown
Member

TomSweeneyRedHat commented Apr 3, 2026

And more importantly, thanks for the PR @ipilcher !

@ipilcher
Copy link
Copy Markdown
Author

ipilcher commented Apr 4, 2026
edited
Loading

I seem to have bollixed everything up by hitting GitHub's "Commit suggestion" button.

EDIT: I think I managed to fix it.

@ipilcher @TomSweeneyRedHat
Update storage/docs/containers-storage.conf.5.md
526cbe9 
Signed-off-by: Ian Pilcher <arequipeno@gmail.com>
Co-authored-by: Tom Sweeney <tsweeney@redhat.com>
@ipilcher ipilcher force-pushed the force_mask_uidmap_doc branch from 011492b to 526cbe9 Compare April 4, 2026 14:23
mtrmac
mtrmac reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This looks plausible but I’d prefer a LGTM from @giuseppe .

storage/docs/containers-storage.conf.5.md
"force_mask" permissions.

- When force_mask is used in rootless mode with explicit UID mappings (e.g., `--uidmap`), the container's UID 0 must map to the host user's UID. fuse-overlayfs (see "mount_program" below) creates a FUSE mount that that is only accessible to the user who created it (the user running podman in this case). If UID 0 within the container is mapped to a different host UID (such as a subordinate UID from /etc/subuid), the OCI runtime (which runs in the user namespace) will not be able to access the FUSE mount.
- When force_mask is used in rootless mode with explicit UID mappings (e.g., `--uidmap`), the container's UID 0 must map to the host user's UID. The fuse-overlayfs (see "mount_program" below) storage driver creates a FUSE mount accessible only to the user who created it (the user running podman in this case). If UID 0 within the container is mapped to a different host UID (such as a subordinate UID from /etc/subuid), the OCI runtime (which runs in the user namespace) will not be able to access the FUSE mount.
Copy link
Copy Markdown
Contributor

@mtrmac mtrmac Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fuse-overlayfs is a filesystem implementation, not a “storage driver” in the c/storage sense (overlay/vfs/btrfs). Maybe “filesystem”? “process”? Or revert to the previous version, which can be ambiguous about what exactly the thing is?

giuseppe
giuseppe requested changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fuse-overlayfs process doesn't run inside the nested user namespace.

What error are you seeing?

@ipilcher
Copy link
Copy Markdown
Author

ipilcher commented Apr 10, 2026

The fuse-overlayfs process doesn't run inside the nested user namespace.

What error are you seeing?

I see an error if I map UID 0 to a subuid.

$ podman run --rm -it \
        \
        --uidmap 0:@500100 \
        --uidmap 42:@500101 \
        --uidmap 499:@500102 \
        \
        --gidmap 0:@500100 \
        --gidmap 4:@500101 \
        --gidmap 5:@500102 \
        --gidmap 8:@500103 \
        --gidmap 42:@500104 \
        --gidmap 43:@500105 \
        --gidmap 50:@500106 \
        --gidmap 499:@500107 \
        \
        docker.io/library/debian:bookworm-slim \
        /bin/sh
Error: crun: open `/var/tmp/intermediate-mountpoint-1000.0/etc/hosts`: No such file or directory: OCI runtime attempted to invoke a command that was not found

If I map UID 0 to the UID of the user running podman, it works.

$ podman run --rm -it \
        \
        --uidmap 0:@1000 \
        --uidmap 42:@500101 \
        --uidmap 499:@500102 \
        \
        --gidmap 0:@500100 \
        --gidmap 4:@500101 \
        --gidmap 5:@500102 \
        --gidmap 8:@500103 \
        --gidmap 42:@500104 \
        --gidmap 43:@500105 \
        --gidmap 50:@500106 \
        --gidmap 499:@500107 \
        \
        docker.io/library/debian:bookworm-slim \
        /bin/sh
# whoami
root

@ipilcher ipilcher requested a review from giuseppe April 10, 2026 15:29
@giuseppe
Copy link
Copy Markdown
Member

giuseppe commented Apr 10, 2026

Is it enough that the user is mapped into the user namespace (any id, not necessarily root)?

@ipilcher
Copy link
Copy Markdown
Author

ipilcher commented Apr 10, 2026

Is it enough that the user is mapped into the user namespace (any id, not necessarily root)?

It doesn't appear to be.

$ podman run --rm -it \
        \
        --uidmap 0:@500100 \
        --uidmap 42:@500101 \
        --uidmap 499:@1000 \
        \
        --gidmap 0:@500100 \
        --gidmap 4:@500101 \
        --gidmap 5:@500102 \
        --gidmap 8:@500103 \
        --gidmap 42:@500104 \
        --gidmap 43:@500105 \
        --gidmap 50:@500106 \
        --gidmap 499:@500107 \
        \
        docker.io/library/debian:bookworm-slim \
        /bin/sh
Error: crun: open `/var/tmp/intermediate-mountpoint-1000.0/etc/hosts`: No such file or directory: OCI runtime attempted to invoke a command that was not found

@giuseppe
Copy link
Copy Markdown
Member

giuseppe commented Apr 13, 2026

what podman version are you using?

Your command works on my Fedora Rawhide:

 cat ~/.config/containers/storage.conf  | grep -E -v '^(#|$)'
[storage]
driver = "overlay"
[storage.options]
additionalimagestores = [
]
[storage.options.pull_options]
[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
mountopt = "nodev,metacopy=on"
force_mask = "000"

$ podman run --rm -it \
        \
        --uidmap 0:@100100 \
        --uidmap 42:@100101 \
        --uidmap 499:@100102 \
        \
        --gidmap 0:@100100 \
        --gidmap 4:@100101 \
        --gidmap 5:@100102 \
        --gidmap 8:@100103 \
        --gidmap 42:@100104 \
        --gidmap 43:@100105 \
        --gidmap 50:@100106 \
        --gidmap 499:@100107 \
        \
        docker.io/library/debian:bookworm-slim \
        /bin/sh
#

I think we should treat this as an issue, and figure out why it doesn't work for you instead of documenting it

@ipilcher
Copy link
Copy Markdown
Author

ipilcher commented Apr 13, 2026

what podman version are you using?

I am running podman-5.8.1-1.fc43.x86_64 on Fedora 43.

Your command works on my Fedora Rawhide:

Interesting!

I think we should treat this as an issue, and figure out why it doesn't work for you instead of documenting it

I have created #764.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtrmac mtrmac mtrmac left review comments

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@giuseppe giuseppe Awaiting requested review from giuseppe

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

storage Related to "storage" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ipilcher @TomSweeneyRedHat @giuseppe @mtrmac