Podman devcontainer workspace mounted read-only (because of UID/GID mismatch?)

[iMicknl]

Issue Description

Several devcontainers fail to work with Podman, even though they run fine with VS Code and Docker.

Diagnosis by Copilot:
Inside the devcontainer, the workspace volume is mounted from Podman with owner UID 503/GID dialout while the container user is UID 1000/GID 1000. Because the user is not in group 503, writes to /workspaces/home-assistant-core fail (e.g., setuptools cannot create homeassistant.egg-info during editable build). Need to adjust Podman volume UID/GID mapping or chown the bind mount so the container user can write.

Log:

id && whoami
uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),991(nvm)
vscode

ls -ld /workspaces /workspaces/home-assistant-core /workspaces/home-assistant-core/homeassistant
drwxr-xr-x.  1 root root      33 Jan 10 23:10 /workspaces
drwxr-xr-x  44 503 dialout 1408 Jan 10 23:06 /workspaces/home-assistant-core
drwxr-xr-x  29 503 dialout  928 Jan 10 23:06 /workspaces/home-assistant-core/homeassistant

umask && mount | head -n 20
022
overlay on / type overlay (...upperdir=/var/lib/containers/storage/overlay/...)
a2a0ee2c717462feb1de2f5afd59de5fd2d8 on /workspaces/home-assistant-core type virtiofs (rw,relatime,...)

touch /workspaces/home-assistant-core/.write-test && ls -l /workspaces/home-assistant-core/.write-test
touch: cannot touch '/workspaces/home-assistant-core/.write-test': Permission denied

Steps to reproduce the issue

Can be reproduced with the following open source projects:
https://github.com/iMicknl/python-overkiz-api/blob/main/.devcontainer/devcontainer.json
https://github.com/home-assistant/core/blob/dev/.devcontainer/devcontainer.json

Clone the project and open it in a devcontainer. It already fails during the post-create step because it lacks permission to write to disk.

Describe the results you received

[153883 ms] postCreateCommand from devcontainer.json failed with exit code 1. Skipping any further user-provided commands.

(due to Permission denied)

Describe the results you expected

Devcontainer opens without problems in read/write mode, without changes to the devcontainer config.

podman info output

Client:
  APIVersion: 5.7.1
  BuildOrigin: pkginstaller
  Built: 1765378682
  BuiltTime: Wed Dec 10 15:58:02 2025
  GitCommit: f845d14e941889ba4c071f35233d09b29d363c75
  GoVersion: go1.25.5
  Os: darwin
  OsArch: darwin/arm64
  Version: 5.7.1
host:
  arch: arm64
  buildahVersion: 1.42.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  - rdma
  - misc
  - dmem
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.13-2.fc43.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.13, commit: '
  cpuUtilization:
    idlePercent: 99.21
    systemPercent: 0.54
    userPercent: 0.25
  cpus: 5
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: coreos
    version: "43"
  emulatedArchitectures:
  - linux/386
  - linux/amd64
  - linux/arm64be
  eventLogger: journald
  freeLocks: 2044
  hostname: localhost.localdomain
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.17.7-300.fc43.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 962973696
  memTotal: 3786977280
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.17.0-1.fc43.aarch64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.17.0
    package: netavark-1.17.1-1.fc43.aarch64
    path: /usr/libexec/podman/netavark
    version: netavark 1.17.1
  ociRuntime:
    name: crun
    package: crun-1.24-1.fc43.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.24
      commit: 54693209039e5e04cbe3c8b1cd5fe2301219f0a1
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250919.g623dbf6-1.fc43.aarch64
    version: |
      pasta 0^20250919.g623dbf6-1.fc43.aarch64-pasta
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: unix:///run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.1-3.fc43.aarch64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.9.1
      SLIRP_CONFIG_VERSION_MAX: 6
      libseccomp: 2.6.0
  swapFree: 0
  swapTotal: 0
  uptime: 20h 14m 38.00s (Approximately 0.83 days)
  variant: v8
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 1
    stopped: 2
  graphDriverName: overlay
  graphOptions:
    overlay.additionalImageStores:
    - /usr/lib/containers/storage
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 99252940800
  graphRootUsed: 16308363264
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 77
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.7.1
  BuildOrigin: 'Copr: packit/containers-podman-27732'
  Built: 1765238400
  BuiltTime: Tue Dec  9 01:00:00 2025
  GitCommit: f845d14e941889ba4c071f35233d09b29d363c75
  GoVersion: go1.25.4 X:nodwarf5
  Os: linux
  OsArch: linux/arm64
  Version: 5.7.1

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

No

Additional environment details

Additional environment detailsmacOS
26.2 (25C56)

Visual Studio Code:
Version: 1.108.0 (Universal)
Commit: 94e8ae2b28cb5cc932b86e1070569c4463565c37
Date: 2026-01-08T13:53:10.781Z (2 days ago)
Electron: 39.2.7
ElectronBuildId: 12953945
Chromium: 142.0.7444.235
Node.js: 22.21.1
V8: 14.2.231.21-electron.0
OS: Darwin arm64 25.2.0

• ms-vscode-remote.remote-containers

Podman
Client: Podman Engine
Version: 5.7.1
API Version: 5.7.1
Go Version: go1.25.5
Git Commit: f845d14
Built: Wed Dec 10 15:58:02 2025
Build Origin: pkginstaller
OS/Arch: darwin/arm64

Server: Podman Engine
Version: 5.7.1
API Version: 5.7.1
Go Version: go1.25.4 X:nodwarf5
Git Commit: f845d14
Built: Tue Dec 9 01:00:00 2025
OS/Arch: linux/arm64

Additional information

No response

[iMicknl]

@l0rd as discussed, let me know if I can run additional tests / collect additional logs or try a pre-release version.

podman-desktop/podman-desktop#13814 (comment) <-- would this be the (temporary) fix for my issue? It is not clear to me as the linked issue describes multiple problems.