Is there any sane way to use use cifs (or nfs) from rootless podman?

Ask Fedora
, , ,
1

Hello,

I have the following setup:

$ id
uid=1000(media) gid=1000(media) groups=1000(media),100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ ls -dZ mnt/musik
system_u:object_r:cifs_t:s0 mnt/musik
$ ls -dl mnt/musik
drwxr-xr-x. 2 media users 0 Mar 20 18:39 mnt/musik

$ ls -dZ mnt/musik/Adele
system_u:object_r:cifs_t:s0 mnt/musik/Adele
$ ls -dl mnt/musik/Adele
drwxr-xr-x. 2 media users 0 Nov 29  2013 mnt/musik/Adele

$ ls -dZ mnt-ro/Musik
system_u:object_r:nfs_t:s0 mnt-ro/Musik
$ ls -dl mnt-ro/Musik
drwxrwxrwx+ 786 root root 32768 Mar 20 18:39 mnt-ro/Musik

$ ls -dZ mnt-ro/Musik/Adele
system_u:object_r:nfs_t:s0 mnt-ro/Musik/Adele
$ ls -dl mnt-ro/Musik/Adele
drwxrwx---+ 4 503 users 4096 Nov 29  2013 mnt-ro/Musik/Adele

/etc/fstab

//192.168.10.104/Musik   /home/media/mnt/musik  cifs    noauto,x-systemd.automount,x-systemd.device-timeout=15,x-systemd.idle-timeout=60,_netdev,user,vers=3.0,uid=1000,gid=100,forceuid,forcegid,cred=/home/media/.cifscred 0       0

192.168.10.104:/        /home/media/mnt-ro nfs     nfsvers=4,minorversion=1,ro,noauto,x-systemd.automount,x-systemd.device-timeout=15,x-systemd.idle-timeout=60,_netdev,user

I’m looking for a sane way to use my music collection from within podman rootless. This is mainly for using jellyfin. I already tried a bunch of options in this podman compose file.

compose.yml

services:
  jellyfin:
    image: docker.io/jellyfin/jellyfin
    ports:
      - 8096:8096
    container_name: jellyfin
    user: 1000:100
    userns_mode: keep-id
    group_add:
      # - keep-groups - not working?
      - users
      - media
    # security_opt:
    #   - label=disable
    # devices:
    #   - /dev/dri:/dev/dri
    # network_mode: 'host'
    labels:
      - io.containers.autoupdate=registry
    volumes:
      - ./config:/config:z
      - ./cache:/cache:z
      - type: bind
        source: /home/media/mnt/musik
        target: /media
        read_only: true
        bind:
          # https://docs.docker.com/engine/storage/bind-mounts/#configure-bind-propagation
          propagation: shared
      - type: bind
        source: /home/media/mnt-ro/Musik
        target: /media2
        read_only: true
        bind:
          propagation: shared
    restart: 'unless-stopped'
    # Optional - may be necessary for docker healthcheck to pass if running in host network mode
    extra_hosts:
      - 'host.docker.internal:host-gateway'

However, when I use a bash inside the container with

podman exec -it jellyfin bash

I observe the following:

$ id
uid=1000(media) gid=100(users) groups=100(users),1000(media)
$ ls -ld /media
drwxr-xr-x. 2 media nogroup 0 Mar 20 17:39 /media
$ ls -dZ /media
system_u:object_r:cifs_t:s0 /media
$ ls -l /media
ls: cannot open directory '/media': Permission denied
 
$ ls -ld /media2
drwxrwxrwx. 786 nobody nogroup 32768 Mar 20 17:39 /media2
$ ls -dZ /media2
system_u:object_r:nfs_t:s0 /media2
$ ls -ld /media2/Adele
drwxrwx---. 4 nobody nogroup 4096 Nov 29  2013 /media2/Adele
$ ls -dZ /media2/Adele
system_u:object_r:nfs_t:s0 /media2/Adele
$ ls -l /media2/Adele
ls: cannot open directory '/media2/Adele': Permission denied

Any ideas on this?

Kind regards,
aanno

2

A viable solution for this is at #25814