When running rstudio in podman, in had the issue that I could not access project directories on our scientific storage to
which I have access based on my secondary user group only.
This is considered a "security feature" of podman. A solution is described in this articel by RedHat. In brief
- use the
crun instead of the runc runtime (install crun and edit ~/.config/containers/containers.conf)
- run the container with
podman run --annotation run.oci.keep_original_groups=1 [...]
This appeared to work in principle (from a shell in the podman container I could access the group directory as expected),
but the rstudio process still got started with different permissions and didn't have access to the directory. I haven't yet figured out how to solve it (except by using Singularity instead (#13)).
Further issues:
- Due to a bug in podman 3.0.x, annotations are not read from
containers.conf, making it impossible to pass the annotation to a container while using podman-compose. This is allegedly fixed in 3.1, but that version is not available on Centos 7.
When running rstudio in podman, in had the issue that I could not access project directories on our scientific storage to
which I have access based on my secondary user group only.
This is considered a "security feature" of podman. A solution is described in this articel by RedHat. In brief
cruninstead of theruncruntime (installcrunand edit~/.config/containers/containers.conf)podman run --annotation run.oci.keep_original_groups=1 [...]This appeared to work in principle (from a shell in the podman container I could access the group directory as expected),
but the rstudio process still got started with different permissions and didn't have access to the directory. I haven't yet figured out how to solve it (except by using Singularity instead (#13)).
Further issues:
containers.conf, making it impossible to pass the annotation to a container while usingpodman-compose. This is allegedly fixed in 3.1, but that version is not available on Centos 7.