Shared Volume getting Z propogation and permission denied in container about podman-compose HOT 15 CLOSED

My current implementation of volumes has some serious bugs that I'm planning to solve tomorrow

Converting volumes to bind make podman volume prune unaware of that and remove them.

My understanding of considering shared if it's volumes section is wrong, docker-compose consider it illegal to reference a volume that is not in volumes section

from podman-compose.

the bug is a side effect of an issue asking to prefix volumes with project name,

if vol_name in shared_vols:

is expecting to find vol2_run-dump1090-fa in a set of {'run-dump1090-fa'}

I'm pushing a temporal fix

from podman-compose.

Temporary solution was to define volume-name:/path/in/container:z on the volumes in each service and it was passed through successfully.

But, that doesn't explain why the original logic failed to detect the root volumes item properly and instead defaulted to Z, so this should still be looked at.

from podman-compose.

Ah ha, that explains it!

from podman-compose.

would you please help me test this branch

https://github.com/containers/podman-compose/tree/feature/pass-volumes

pip3 install https://github.com/containers/podman-compose/archive/feature/pass-volumes.zip

I wonder if bind-propagation=z works if --mount type=volume

podman run --mount type=volume,source=vol2_run-dump1090-fa,destination=/run/dump1090-fa,bind-propagation=z

should it be bind-propagation=z

from podman-compose.

No need for the bind-propagation part. Just adding z to --mount will do it.
podman run type=volume,source=vol2_run-dump1090-fa,destination=/run/dump1090-fa,z for example.

from podman-compose.

@mheon does this apply to mount_type=bind? because the docs says it's type=bind,...,bind-propagation=z

type=bind,source=/path/on/host,destination=/path/in/container

                 type=tmpfs,tmpfs-size=512M,destination=/path/in/container
                 Common Options:

                    · src, source: mount source spec for bind and volume. Mandatory for bind.
                    · dst, destination, target: mount destination spec.
                    · ro, read-only: true or false (default).

                 Options specific to bind:

                    · bind-propagation: Z, z, shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
                    . bind-nonrecursive: do not setup a recursive bind mount.  By default it is recursive.

from podman-compose.

If you want to share an volume between multiple containers, then you use "z" if you want it private to one container then it is "Z".

from podman-compose.

@rhatdan yes we know, the question is how to pass "z" or "Z" for bind and for volume (should we prefix it with bind-propagation=<X>)

for example:

• --mount type=bind,source=/dir1,destination=/target,z
• --mount type=volume,source=vol1,destination=/target,z

or

• --mount type=bind,source=/dir1,destination=/target,bind-propagation=z
• --mount type=volume,source=vol1,destination=/target,bind-propagation=z

or

• --mount type=bind,source=/dir1,destination=/target,bind-propagation=z
• --mount type=volume,source=vol1,destination=/target,volume-propagation=z

or

• --mount type=bind,source=/dir1,destination=/target,bind-propagation=z
• --mount type=volume,source=vol1,destination=/target,z

from podman-compose.

from podman-compose.

I would have thought --mount type=volume,source=vol1,destination=/target,z but this does not work. I am not sure if podman --mount handles the relabel at all.

from podman-compose.

I would think the proper way to handle this would be to add relabel=private, relabel=shared, relabel=none.

from podman-compose.

https://docs.docker.com/storage/bind-mounts/

• The bind-propagation option, if present, changes the bind propagation. May be one of rprivate, private, rshared, shared, rslave, slave.
• The --mount flag does not support z or Z options for modifying selinux labels.

should I revert to -v instead of --mount?

from podman-compose.

Please be so kind, and update/describe also the compose.yaml file with its volumes: section. The origin docker-compose comes with a lot of variations to delcare volumes in version 3.
Actually, i can not figure out, how to identify the host source-directory of the volumes myvol1 oder myvol2 named volumes inside the docker-compose.yaml

I started on F31 with this volume bind:

    image: "postgres:9.6"
    environment:
      POSTGRES_USER: awx
      POSTGRES_PASSWORD: awxpass
      POSTGRES_DB: awx
      PGDATA: /var/lib/postgresql/pgdata
    volumes:
      - /home/cgroove/Temp/Databasefiles/postgresql:/var/lib/postgresql:Z

and learned in this issue, that i should use the volume syntax while reading @kevinelliott posting.Unfortunately i ended up in the well kown relabeling issue. So, what would be the out-of-box workaround with named volumes?

from podman-compose.

I have the same problem with bitnami/mysql, the process runs with UID 1001 ( as reported inside the container), but the volume is mounted with the root as owner, and with readonly:

podman run --rm -it --mount type=bind,source=/media/containers/podman/richard/storage/volumes/api_db/_data,destination=/bitnami/mysql,bind-propagation=z bitnami/mysql:5.7 bash

mysql 14:55:41.41 
mysql 14:55:41.41 Welcome to the Bitnami mysql container
mysql 14:55:41.41 Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-mysql
mysql 14:55:41.41 Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-mysql/issues
mysql 14:55:41.41 Send us your feedback at [email protected]
mysql 14:55:41.41 

1001@15dc89c7d81c:/$ ls -la /bitnami/mysql 
total 8
drwxr-xr-x 2 root root 4096 Jan  2 12:57 .
drwxr-xr-x 3 root root 4096 Jan  2 06:56 ..
1001@15dc89c7d81c:/$ echo $UID
1001
1001@15dc89c7d81c:/$ 

My docker compose file:

version: "3.5"

services:
  db:
    restart: unless-stopped
    image: bitnami/mysql:5.7
    ports:
      - 127.0.0.1:3309:3306
    environment:
      - MYSQL_ROOT_PASSWORD=xxx
      - MYSQL_DATABASE=xxx
    volumes:
      - db:/bitnami/mysql
volumes:
  db: ~

from podman-compose.