Skip to content

Podman on Linux improvements #10798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chrmarti opened this issue Mar 19, 2025 · 2 comments
Closed

Podman on Linux improvements #10798

chrmarti opened this issue Mar 19, 2025 · 2 comments
Assignees
@chrmarti
Labels
containers Issue in vscode-remote containers debt podman Dev Container using Podman
Milestone
April 2025

Comments

@chrmarti
Copy link
Contributor 

          @chrmarti I have done some investigations and on Windows WSL and macOS things work out of the box: no need for `z` and `--userns` options.

On Linux things are a little bit more complicated but we may solve the problem if the Dev Containers extension:

  • sets the environment variable PODMAN_USERNS=keep-id before running podman/docker run commands
  • adds --security-opt label=disable for every podman/docker run command

With these two changes, setting the z and --userns options wouldn't be needed anymore. It works for both rootless and rootful Podman.

Here is a detailed explanation:

  • For rootful podman, the option to relabel the file objects (z or Z) may (*) be required (--security-opt label=disable works too)
  • For rootless podman, in addition to the relabelling, the option to keep the same user id in the namespace (--userns=keep-id) is required.
  • Docker (rootful) has --security-opt label=disable and as a consequence doesn't need any specific flag/option.

(*) it may work without that option depending on the existing labels and permissions of the folder that we want to bind mount, but to always work, z is required.

To set the relabel option there are multiple options (the bold one may be more adapted for Dev Containers):

  • use the :z or :Z volume option
  • add the --security-opt label=disable to podman run command
  • set label = false in [containers] section of containers.conf

To set userns to keep-id there are multiple options too (the bold one may be more adapted for Dev Containers):

  • add the --userns=keep-id to podman run commands (but that doesn't seem like a valid value for Docker)
  • export PODMAN_USERNS=keep-id
  • set userns = "keep-id" in [containers] section of containers.conf

Originally posted by @l0rd in microsoft/vscode-docs#8122 (comment)
@chrmarti chrmarti self-assigned this Mar 19, 2025
@chrmarti chrmarti added containers Issue in vscode-remote containers debt labels Mar 19, 2025
@chrmarti chrmarti mentioned this issue Mar 19, 2025
Merged
@chrmarti chrmarti added the podman Dev Container using Podman label Apr 4, 2025
@chrmarti chrmarti mentioned this issue Apr 4, 2025
Merged
@chrmarti
Copy link
Contributor Author

chrmarti commented Apr 4, 2025

Thanks for investigating @l0rd! We can use the command line options since we already know if we are using podman: devcontainers/cli#985.

@chrmarti chrmarti added this to the April 2025 milestone Apr 4, 2025
@chrmarti chrmarti mentioned this issue Apr 4, 2025
Closed
@chrmarti
Copy link
Contributor Author

Fixed in Dev Containers extension 0.412.0-pre-release and Dev Containers CLI 0.76.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chrmarti chrmarti

Labels
containers Issue in vscode-remote containers debt podman Dev Container using Podman
Projects
None yet
Milestone
April 2025
Development

No branches or pull requests
1 participant
@chrmarti