How do I mount /var/log/journal in rootless podman

[vic1707]

Hi,

I'm ultimately trying to setup crowdsec as a user's quadlet on coreos
I'm trying to mount /var/log/journal to /var/log/host for a crowdsec quadlet.

The quadlet is located here /home/vic1707/.config/containers/systemd/crowdsec.container.

But I'm doing my testing with podman run commands.

My user can read the journal dirs and files

[vic1707@localhost ~]$ ls -lah /var/log/journal
total 0
drwxr-sr-x+ 3 root systemd-journal  46 Jul 25 11:52 .
drwxr-xr-x. 8 root root            141 Jul 25 11:52 ..
drwxr-sr-x+ 2 root systemd-journal  53 Jul 25 11:52 bbd3eb3fe6914577947c17b67db624c5

Based on other discussions here I also ran the command withing podman unshare

[vic1707@localhost ~]$ podman unshare ls -ahl /var/log/journal
total 0
drwxr-sr-x+ 3 nfsnobody nfsnobody  46 Jul 25 11:52 .
drwxr-xr-x. 8 nfsnobody nfsnobody 141 Jul 25 11:52 ..
drwxr-sr-x+ 2 nfsnobody nfsnobody  53 Jul 25 11:52 bbd3eb3fe6914577947c17b67db624c5

But currently no matter what I do, the directory always gets mounted as nobody:nobody

[vic1707@localhost ~]$ podman run --rm -v /var/log/journal:/var/log/host:ro alpine ls -lah /var/log/
total 0      
drwxr-xr-x    1 root     root          18 Jul 25 10:36 .
drwxr-xr-x    1 root     root          17 Jul 15 10:42 ..
drwxr-sr-x    3 nobody   nobody        46 Jul 25 09:52 host

I tried --privileged, Z/z/U in volume mount's options, I tried all sorts of combinations for --user, --userns, --uidmap, --gidmap without managing to get it to work, I'm missing something, Thanks for your help!

Here are some more infos that might be helpful
U mount option results in Error: failed to chown recursively host path: lchown /var/log/journal: operation not permitted even if running as --privileged
Z/z: Error: lsetxattr(label=system_u:object_r:container_file_t:s0) /var/log/journal: operation not permitted even if running as --privileged

[vic1707@localhost ~]$ stat -c "%u %g" /var/log/journal
0 190
[vic1707@localhost ~]$ id
uid=1001(vic1707) gid=1001(vic1707) groups=1001(vic1707),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[vic1707@localhost ~]$ podman run --rm -it  alpine id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

[giuseppe]

that is expected, /var/log/journal is owned by an user that is not mapped/available in the rootless user namespace.

One thing you could do is to add your rootless user to the group that owns that directory on the host and then use --add-group keep-groups to the container.

Although this looks more like a use case for a root container, since you need to access a resource that your rootless user has no access to

[vic1707]

with it it works perfectly, that's an oversight from me, I'm sorry 🙇

I'm still wondering why SELinux didn't report anything about it 🤔
without you guiding me I'd never figured out that specific flag was missing

[giuseppe]

because it was not SELinux blocking it, so nothing to report from SELinux

[vic1707]

standard linux permissions then, that makes sense.
anyway, huge thanks for your help, your patience and your quick responses despite the current time 🙏.

---

Though, iy would be really hard to debug as a neophyte though 🤔

can you enlighten me as to why these specific folders have to appear as owned by nobody:nobody?
Could that be changed ?
Or do these things needs to be disclosed in the docs (if they already are I didn't find it, and I'm sorry if I did 🙇), I never found anything regarding /var/log anywhere, hence why I opened that discussion thread 🙃

[giuseppe]

that happens because the user owning them is not part of the user namespace.

The rootless user namespace uses the user UID:GID plus any additional UID and GID specified in the /etc/subuid and /etc/subgid files for that user.

You could add a mapping for the owner of that directory, in this way a mapping exists and the kernel will map the owner to an UID:GID that exists inside the rootless user namespace.

[vic1707]

You win some, you loose some I guess, this makes way more sense, thank you 🙏
I'll keep what you told me in mind for my future experiments & debugging 😁