Podman and /dev/ drives on Fedora

I am currently trying to setup 2 foss docker projects as podman containers on my Fedora machine. Both rely on my dvd-drives to be passed through to the containers, both are not working at the moment due to permission issues with the drives in the container(s). I am trying to understand whats the deeper issue and how I could resolve that (I am not looking for someone guiding me through my exact problem, more like insight whats important for such an application)

A basic setup to illustrate my issue:

- Dockerfile
FROM debian:bullseye

-Build & Run
podman build ./ -t device_test

podman run -it --device=/dev/sr0 --group-add keep-groups --privileged --entrypoint=sh device_test

-In the container
cd mnt
mkdir cdrom
mount -t iso9660 -o ro /dev/sr0 /mnt/cdrom
mount: /mnt/cdrom: permission denied.

ls -la /dev/sr0
brw-rw----+ 1 nobody nogroup 11, 0 Mar 26 20:32 /dev/sr0

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

-On the host
ls -la /dev/sr0
rw-rw----+ 1 root cdrom 11, 0 Mar 26 21:32 /dev/sr0

id
*not important* groups=....11(cdrom) ...

What I understand (I think):

  • The users/groups on the podman/docker container are not the same as on the host, but share IDs or are “mapped”
  • To make it work you have to keep the existing user/group mapping of the devices via --group-add keep-groups
  • Devices are specified via --device flag
  • When in doubt, use --privileged (Discouraged, and I agree)
  • It might be related to SELinux

Or to rephrase it in one question

What are the necessary steps to bind a device in a podman container ?

Thx

Edit original question to add a minimal example of whats going wrong

I can’t help you, but I’m seeing the same thing. I’m trying to use /dev/dri in a container and I can’t seem to get it to work. I’ve tried disabling SELinux, --privileged, using --volume instead of --device, explicitly adding the video and render groups with --group-add and nothing has worked. No matter what I do, the devices in /dev/dri have uid/gid of 65534.

Rootful podman doesn’t have this problem and access works as expected.

Just at a glance, this is how I would have done it :

mkdir /mnt/cdrom

# Run the container with the bind mount
podman run -it --device=/dev/sr0 --group-add cdrom -v /mnt/cdrom:/mnt/cdrom device_test

# Inside the container
mount -t iso9660 -o ro /dev/sr0 /mnt/cdrom```

if you can give that a try.

According to my discussion on Github Rootless, Device, USB Audio · containers/podman · Discussion #20875 · GitHub this is not expected to work (?)

I deployed an Ubuntu VM with Docker to use the drive within a (docker) container.

Does anyone have more information about this topic?


Did you find this during your research:
https://www.redhat.com/sysadmin/files-devices-podman ?

Yes, I saw that and tried it, it didn’t make any difference. I’ve also disabled SELinux and it still doesn’t work:

core@server ~> getsebool container_use_devices
container_use_devices --> on
core@server ~> getsebool container_use_dri_devices
container_use_dri_devices --> on
core@server ~> getenforce
Permissive
core@server ~> podman run --annotation run.oci.keep_original_groups=1 --rm -it --group-add keep-groups --device /dev/dri/card1 fedora:latest ls -lah /dev/dri
total 0
drwxr-xr-x. 2 root   root       60 May 12 20:30 .
drwxr-xr-x. 6 root   root      380 May 12 20:30 ..
crw-rw----. 1 nobody nobody 226, 1 May 12 18:59 card1
core@server ~> groups
core adm wheel sudo video render systemd-journal
core@server ~> ls -lah /dev/dri
total 0
drwxr-xr-x.  3 root root        100 May 12 18:59 ./
drwxr-xr-x. 20 root root       4.2K May 12 18:59 ../
drwxr-xr-x.  2 root root         80 May 12 18:59 by-path/
crw-rw----.  1 root video  226,   1 May 12 18:59 card1
crw-rw-rw-.  1 root render 226, 128 May 12 18:59 renderD128

In my podman run ... I’m just using ls but the permissions issue impacts vainfo as well.