[OpenAFS] Re: writeable /afs bind mount inside a podman container

Chad W Seys cwseys@physics.wisc.edu
Wed, 17 May 2023 16:24:44 +0000


Hi Michael,=0A=
=0A=
> I can only speculate, because I don't use podman. With unprivileged LXC c=
on=0A=
> tainers, it works for me under the condition that the user's token does n=
ot=3D=0A=
> use a PAG but is bound to the user id only.=0A=
=0A=
That sounds likely.=0A=
=0A=
> So, my speculation would be that apptainer is able to run inside an estab=
li=3D=0A=
> shed PAG and podman is not.=0A=
=0A=
Do you know of a way to bind the token to the user id instead of PAG?  Alte=
rnatively, podman might be doing something to leave the PAG of the parent t=
hat can be disabled.  (Probably for security purposes.)=0A=
=0A=
Thanks for those ideas!=0A=
C.=