Sharing read-only data with some difficult constraints

[io7m]

Hello!

I have the following set of awkward constraints:

• Container A writes data to a volume V.
• Containers B, C, and D want to read from V.
• The host doesn't need or care about visibility into V.
• All containers are rootful, but are running with --security-opt=no-new-privileges --cap-drop all --userns=auto --read-only.
• I'm using the RHEL targeted policy so containers are isolated from each other with labels, as normal.
• For reasons of paranoia, I don't want to run all the containers in the same user namespace. This is a slightly soft constraint, but I'd like to keep it if possible.
• Because of --userns=auto, uids/gids are unpredictable and I think I'd prefer to keep it that way.
• There's nothing in V that {B,C,D} should be prevented from reading. Ignoring file ownership and permissions entirely over the whole volume would be perfectly acceptable.
• The data in V changes fairly frequently from writes by A, and {B,C,D} are required to be able to observe updates.
• The applications running in {B,C,D} are dumb and only know how to do filesystem operations.
• The applications running in {B,C,D} don't care about "this really is a real filesystem down to the inodes" semantics.

What are my options for exposing V to {B,C,D}?

Is there some directly-podman-supported way I can expose V to {B,C,D} in a way that can essentially ignore uid/gid values on files? I see that there's apparently some degree of support for things like virtiofs in podman, but that seems to be strictly limited to virtual machines. There might be some way to do this with an overlay filesystem, but I can't quite see it.

[Luap99]

Because you run podman as root using idmap mounts is an option. An idmap mount can map the uid/gids properly into the container user namespace without having to later the ids on the host.

$ sudo podman run --rm -v /tmp/test:/test quay.io/libpod/testimage:20241011 ls -l /test
-rw-r--r--    1 1000     1000             0 Apr  7 09:07 /test
$ sudo podman run --rm --userns auto  -v /tmp/test:/test quay.io/libpod/testimage:20241011 ls -l /test
-rw-r--r--    1 nobody   nobody           0 Apr  7 09:07 /test
$ sudo podman run --rm --userns auto  -v /tmp/test:/test:idmap quay.io/libpod/testimage:20241011 ls -l /test
-rw-r--r--    1 1000     1000             0 Apr  7 09:07 /test

search for idmap mount descriptions here https://docs.podman.io/en/latest/markdown/podman-create.1.html
You can also give custom uid mappsings for just the mount if needed. With that you can manage to make the mount use the same host uid for all containers even if they run as completely different uids due the userns=auto.

Selinux wise you also need to use z (shared) as well not Z (private to container)

[io7m]

Thanks!

[io7m]

That actually works so effectively that I'm suspicious of it. 😆