Skip to main content

Volumes and Mounts

1. Mount Your User Directory

podman run -it --rm \
  --name mountdemo \
  --userns=keep-id \
  -v /u/home/$USER:/home/$USER \
  ubuntu:24.04

ℹ️ It is often useful to use the backslash for podman commands because they can get quite long.

Permission Issue SELinux

With the increased frequency of cyber attacks, Security Enhanced Linux (SELinux) has gained widespread adoption among enterprise platforms such as RedHat Enterprise Linux (RHEL), the upstream Fedora project, and in our case AlmaLinux (farm nodes). Users may encounter issues associated with SELinux while using containers because they act very close to the kernel and may perform tasks normally used by root.

Most of the disk areas for a user are not protected under SELinux, so SELinux features can be deactived to access host disks in read/write mode. The primary space users will encounter this is through the Lustre /cache location and the /cvmfs since these systems only partially support the necenecessary bits / flags SELinux requires.

# Deactivate SELinux for a container with --security-opt label=disable
podman run -it --rm \
  --security-opt label=disable \
  --name mountcache \
  --userns=keep-id \
  -v /cache/:/cache:ro \
  ubuntu:24.04

2. Leave and Re-enter

podman start mountdemo

There was no container! That is becuse the previous command had --rm, so the container was removed upon exit. Run the container without the --rm to create a new container with the same name.

podman exec -it mountdemo bash

3. Volume Scope and Limitations

Volumes and bind mounts are only specified at creation. You cannot add new mounts after a container is created.

4. Read-Only Mount with --mount

podman run -it --rm \
  --mount type=bind,source=/u/home/$USER,target=/mnt,readonly \
  ubuntu:24.04

Try to write:

cd /mnt && touch testfile

You should see the filesystem is read-only. This is a great way to keep your containers ephemeral!

5. Understand Rootless Limits

Even though you may appear to be root in the container, you’re rootless. This means:

  • You only have permissions of your user on the host
  • You cannot change or delete files you don’t own outside the container