Podman and /dev/ drives on Fedora

I am currently trying to setup 2 foss docker projects as podman containers on my Fedora machine. Both rely on my dvd-drives to be passed through to the containers, both are not working at the moment due to permission issues with the drives in the container(s). I am trying to understand whats the deeper issue and how I could resolve that (I am not looking for someone guiding me through my exact problem, more like insight whats important for such an application)

A basic setup to illustrate my issue:

- Dockerfile
FROM debian:bullseye

-Build & Run
podman build ./ -t device_test

podman run -it --device=/dev/sr0 --group-add keep-groups --privileged --entrypoint=sh device_test

-In the container
cd mnt
mkdir cdrom
mount -t iso9660 -o ro /dev/sr0 /mnt/cdrom
mount: /mnt/cdrom: permission denied.

ls -la /dev/sr0
brw-rw----+ 1 nobody nogroup 11, 0 Mar 26 20:32 /dev/sr0

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

-On the host
ls -la /dev/sr0
rw-rw----+ 1 root cdrom 11, 0 Mar 26 21:32 /dev/sr0

id
*not important* groups=....11(cdrom) ...

What I understand (I think):

  • The users/groups on the podman/docker container are not the same as on the host, but share IDs or are “mapped”
  • To make it work you have to keep the existing user/group mapping of the devices via --group-add keep-groups
  • Devices are specified via --device flag
  • When in doubt, use --privileged (Discouraged, and I agree)
  • It might be related to SELinux

Or to rephrase it in one question

What are the necessary steps to bind a device in a podman container ?

Thx

Edit original question to add a minimal example of whats going wrong