@chrmarti I have done some investigations and on Windows WSL and macOS things work out of the box: no need for `z` and `--userns` options.
On Linux things are a little bit more complicated but we may solve the problem if the Dev Containers extension:
- sets the environment variable
PODMAN_USERNS=keep-id before running podman/docker run commands
- adds
--security-opt label=disable for every podman/docker run command
With these two changes, setting the z and --userns options wouldn't be needed anymore. It works for both rootless and rootful Podman.
Here is a detailed explanation:
- For rootful podman, the option to relabel the file objects (
z or Z) may (*) be required (--security-opt label=disable works too)
- For rootless podman, in addition to the relabelling, the option to keep the same user id in the namespace (
--userns=keep-id) is required.
- Docker (rootful) has
--security-opt label=disable and as a consequence doesn't need any specific flag/option.
(*) it may work without that option depending on the existing labels and permissions of the folder that we want to bind mount, but to always work, z is required.
To set the relabel option there are multiple options (the bold one may be more adapted for Dev Containers):
- use the
:z or :Z volume option
- add the
--security-opt label=disable to podman run command
- set
label = false in [containers] section of containers.conf
To set userns to keep-id there are multiple options too (the bold one may be more adapted for Dev Containers):
- add the
--userns=keep-id to podman run commands (but that doesn't seem like a valid value for Docker)
export PODMAN_USERNS=keep-id- set
userns = "keep-id" in [containers] section of containers.conf
Originally posted by @l0rd in microsoft/vscode-docs#8122 (comment)
On Linux things are a little bit more complicated but we may solve the problem if the Dev Containers extension:
PODMAN_USERNS=keep-idbefore runningpodman/docker runcommands--security-opt label=disablefor everypodman/docker runcommandWith these two changes, setting the
zand--usernsoptions wouldn't be needed anymore. It works for both rootless and rootful Podman.Here is a detailed explanation:
zorZ) may (*) be required (--security-opt label=disableworks too)--userns=keep-id) is required.--security-opt label=disableand as a consequence doesn't need any specific flag/option.(*) it may work without that option depending on the existing labels and permissions of the folder that we want to bind mount, but to always work,
zis required.To set the relabel option there are multiple options (the bold one may be more adapted for Dev Containers):
:zor:Zvolume option--security-opt label=disabletopodman runcommandlabel = falsein[containers]section ofcontainers.confTo set userns to keep-id there are multiple options too (the bold one may be more adapted for Dev Containers):
--userns=keep-idtopodman runcommands (but that doesn't seem like a valid value for Docker)export PODMAN_USERNS=keep-iduserns = "keep-id"in[containers]section ofcontainers.confOriginally posted by @l0rd in microsoft/vscode-docs#8122 (comment)