Describe the bug
Hi, I'm following the docs' rootless Podman via quadlets example, which suggests that Jotty works with rootless Podman by passing UserNS, PUID, and PGID.
However, I don't believe a true rootless Podman configuration is actually possible with the current image because of two conflicting permission requirements:
-
Jotty writes to root-owned paths inside the image (e.g. /app/node_modules). Under rootless Podman, UserNS=keep-id makes the container run as the host UID, so these paths become unwritable, producing errors such as: "EACCES: permission denied, open '/app/node_modules/next/dist/compiled/next-server/app-page-turbo.runtime.prod.js'".
-
If the container is instead run as User=root, then bind-mounted directories become unwritable. Under rootless Podman, the container's root maps to an unprivileged host UID, so writes to host-owned files fails with errors like: "EACCES: permission denied, open '/app/data/site.webmanifest'".
In summary, under rootless Podman:
- running as the host UID will break writes inside the image
- running as container-root will break writes to bind mounts
To support rootless podman, I believe the image would need to either:
- avoid writing to root-owned paths at runtime
- make writable directories owned by a non-root UID
- start as root only long enough to fix permissions, then drop to PUID/PGID
Thanks for the project! Jotty has been working great for me under Docker, and I wanted to share this in case anyone else was planning to migrate to rootless Podman.
Steps to Reproduce
- Use the docs' rootless podman via quadlet example.
- Start the service.
- Jotty produces EACCES errors.
How do you run Jotty?
Other
Jotty Version
latest
Checklist
Describe the bug
Hi, I'm following the docs' rootless Podman via quadlets example, which suggests that Jotty works with rootless Podman by passing
UserNS,PUID, andPGID.However, I don't believe a true rootless Podman configuration is actually possible with the current image because of two conflicting permission requirements:
Jotty writes to root-owned paths inside the image (e.g.
/app/node_modules). Under rootless Podman,UserNS=keep-idmakes the container run as the host UID, so these paths become unwritable, producing errors such as:"EACCES: permission denied, open '/app/node_modules/next/dist/compiled/next-server/app-page-turbo.runtime.prod.js'".If the container is instead run as
User=root, then bind-mounted directories become unwritable. Under rootless Podman, the container'srootmaps to an unprivileged host UID, so writes to host-owned files fails with errors like:"EACCES: permission denied, open '/app/data/site.webmanifest'".In summary, under rootless Podman:
To support rootless podman, I believe the image would need to either:
Thanks for the project! Jotty has been working great for me under Docker, and I wanted to share this in case anyone else was planning to migrate to rootless Podman.
Steps to Reproduce
How do you run Jotty?
Other
Jotty Version
latest
Checklist