Is there any sane way to use use cifs (or nfs) from rootless podman?

[aanno]

Hello,

I have the following setup:

$ id
uid=1000(media) gid=1000(media) groups=1000(media),100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ ls -dZ mnt/musik
system_u:object_r:cifs_t:s0 mnt/musik
$ ls -dl mnt/musik
drwxr-xr-x. 2 media users 0 Mar 20 18:39 mnt/musik

$ ls -dZ mnt/musik/Adele
system_u:object_r:cifs_t:s0 mnt/musik/Adele
$ ls -dl mnt/musik/Adele
drwxr-xr-x. 2 media users 0 Nov 29  2013 mnt/musik/Adele

$ ls -dZ mnt-ro/Musik
system_u:object_r:nfs_t:s0 mnt-ro/Musik
$ ls -dl mnt-ro/Musik
drwxrwxrwx+ 786 root root 32768 Mar 20 18:39 mnt-ro/Musik

$ ls -dZ mnt-ro/Musik/Adele
system_u:object_r:nfs_t:s0 mnt-ro/Musik/Adele
$ ls -dl mnt-ro/Musik/Adele
drwxrwx---+ 4 503 users 4096 Nov 29  2013 mnt-ro/Musik/Adele

/etc/fstab

//192.168.10.104/Musik   /home/media/mnt/musik  cifs    noauto,x-systemd.automount,x-systemd.device-timeout=15,x-systemd.idle-timeout=60,_netdev,user,vers=3.0,uid=1000,gid=100,forceuid,forcegid,cred=/home/media/.cifscred 0       0

192.168.10.104:/        /home/media/mnt-ro nfs     nfsvers=4,minorversion=1,ro,noauto,x-systemd.automount,x-systemd.device-timeout=15,x-systemd.idle-timeout=60,_netdev,user

I'm looking for a sane way to use my music collection from within podman rootless. This is mainly for using jellyfin. I already tried a bunch of options in this podman compose file.

compose.yml

services:
  jellyfin:
    image: docker.io/jellyfin/jellyfin
    ports:
      - 8096:8096
    container_name: jellyfin
    user: 1000:100
    userns_mode: keep-id
    group_add:
      # - keep-groups - not working?
      - users
      - media
    # security_opt:
    #   - label=disable
    # devices:
    #   - /dev/dri:/dev/dri
    # network_mode: 'host'
    labels:
      - io.containers.autoupdate=registry
    volumes:
      - ./config:/config:z
      - ./cache:/cache:z
      - type: bind
        source: /home/media/mnt/musik
        target: /media
        read_only: true
        bind:
          # https://docs.docker.com/engine/storage/bind-mounts/#configure-bind-propagation
          propagation: shared
      - type: bind
        source: /home/media/mnt-ro/Musik
        target: /media2
        read_only: true
        bind:
          propagation: shared
    restart: 'unless-stopped'
    # Optional - may be necessary for docker healthcheck to pass if running in host network mode
    extra_hosts:
      - 'host.docker.internal:host-gateway'

However, when I use a bash inside the container with

podman exec -it jellyfin bash

I observe the following:

$ id
uid=1000(media) gid=100(users) groups=100(users),1000(media)
$ ls -ld /media
drwxr-xr-x. 2 media nogroup 0 Mar 20 17:39 /media
$ ls -dZ /media
system_u:object_r:cifs_t:s0 /media
$ ls -l /media
ls: cannot open directory '/media': Permission denied
 
$ ls -ld /media2
drwxrwxrwx. 786 nobody nogroup 32768 Mar 20 17:39 /media2
$ ls -dZ /media2
system_u:object_r:nfs_t:s0 /media2
$ ls -ld /media2/Adele
drwxrwx---. 4 nobody nogroup 4096 Nov 29  2013 /media2/Adele
$ ls -dZ /media2/Adele
system_u:object_r:nfs_t:s0 /media2/Adele
$ ls -l /media2/Adele
ls: cannot open directory '/media2/Adele': Permission denied

Any ideas on this?

Kind regards,
aanno

[Luap99]

If you think that is a selinux problem look at the audit logs and fix the denials or try to temporarily disable selinux and see if it works then.

Also you nfs share is owned by root on the host so this uid will never be mapped into the container and always be shown as nobody

[aanno]

Well, at least I don't see anything in sealert. But with setenforce 0, this is what happens inside the container:

$ ls -l /media/Adele/19/01\ Daydreamer.flac 
-r-xr-xr-x. 1 tpasch nogroup 19787312 Jun 14  2016 '/media/Adele/19/01 Daydreamer.flac'

$ ls -l /media2/Adele
ls: cannot open directory '/media2/Adele': Permission denied

Hence, without SELinux, cifs works! But nfs still fails. (I still not understand this completely, as user 'media' is in the 'users' group.)

Is there anything you recommend for working around the problem?

(Using the (music) files from outside a podman container is (of cource) possible for me.)

[Luap99]

you cannot use your host groups in rootless container as they are not mapped, only the main group and the the gids from /etc/subgid are mapped.

There is a hack to work around it with something like --group-add keep-groups which keeps the supplementary groups but it only does so by not calling setgroups() so the actual gids are still not mapped so they would still be shown as nobody. And if you contianer call its setgroups() it would loose access, i.e. doing su in the container.

[aanno]

I agree that we should consider the cifs and nfs cases separately. I would like to emphasise that accessing a music collection on a NAS device seems like a common use case for jellyfin to me (and the jellyfin team encourages the use of containers).

CIFS

Works without SELinux. However, I have not understood why SELinux interferes.

NFS (version 4.1)

Problem is not SELinux related. It results from groups not being mapped. However, adjusting the user seems not possible with nfs (at least I haven't found anything on this online).

keep-groups with compose seems to be delicate with podman compose (see comments in compose.yml).

Solution

Beginning of compose.yml now reads:

# https://github.com/containers/podman-compose/issues/166
x-podman:
  in_pod: false

services:
  jellyfin:
    image: docker.io/jellyfin/jellyfin
    ports:
      - 8096:8096
    container_name: jellyfin
    user: "1000:100"
    userns_mode: keep-id
    # Next line leads to:
    # Error response from daemon: looking up supplemental groups for container 3ce58bbca0fd9e00873dab537b40a1cdc7f5f2148f3cba2f3a2e91a1587e505b: Unable to find group tpasch: no matching entries in group file
    # userns_mode: "keep-id:uid=1000,gid=100"
    group_add:
      # - keep-groups ? does _not_ work
      - users
      - media
    # https://superuser.com/questions/1862423/share-groups-with-podman-containers
    # https://github.com/containers/podman/issues/10166
    annotations:
      # Next line enables the use of nfs (aanno)
      run.oci.keep_original_groups: 1
      io.crun.keep_original_groups: 1
    # Disabling SELinux makes cifs working (aanno)
    security_opt:
      - label=disable
<continues as already posted>

Inside the container I now observer the following:

$ id
uid=1000(media) gid=100(users) groups=100(users),65534(nogroup),1000(media),65534(nogroup)
$ ls -l /media/Adele/19/01\ Daydreamer.flac 
-r-xr-xr-x. 1 media nogroup 19787312 Jun 14  2016 '/media/Adele/19/01 Daydreamer.flac'
$ ls -Z /media/Adele/19/01\ Daydreamer.flac 
system_u:object_r:cifs_t:s0 '/media/Adele/19/01 Daydreamer.flac'
$ ls -dl /media2/Adele
drwxrwx---. 4 nobody nogroup 4096 Nov 29  2013 /media2/Adele
$ ls -dZ /media2/Adele
system_u:object_r:nfs_t:s0 /media2/Adele
$ ls -l /media2/Adele
total 16
drwxrwx---. 3 nobody nogroup 4096 Jun  6  2016 19
drwxrwx---. 3 nobody nogroup 4096 Jun  6  2016 21
$ ls -l /media2/Adele/19/01\ Daydreamer.flac 
-rwxrwx---. 1 nobody nogroup 19787312 Jun 14  2016 '/media2/Adele/19/01 Daydreamer.flac'

However, I wonder if it is possible to change my configuration to make cifs work apart from

    # disabling SELinux makes cifs working!
    security_opt:
      - label=disable

?