From 345ac8a3965446b3ecc3bd971695831d82497f59 Mon Sep 17 00:00:00 2001 From: deeplow Date: Mon, 15 Aug 2022 13:08:37 +0100 Subject: [PATCH] podman run with --userns=keep-id to mount volumes Moving to /dangerzone was failing with insuficient permissions: Invalid JSON returned from container: PermissionError: [Errno 13] Permission denied: '/dangerzone/page-3.rgb' A previous approach was removed in commit 805222. It started with root at first in a wrapper script and then dropped these priviledges which running the script. `--userns=keep-id` solves the mountpoint issues as it maps the user starting the container is mapped in the container [1]. [1]: https://www.redhat.com/sysadmin/user-flag-rootless-containers --- dangerzone/container.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dangerzone/container.py b/dangerzone/container.py index 0162e61..dedbe2b 100644 --- a/dangerzone/container.py +++ b/dangerzone/container.py @@ -81,6 +81,7 @@ def convert(input_filename, output_filename, ocr_lang, stdout_callback): else: platform_args = [] security_args = ["--security-opt", "no-new-privileges"] + security_args += ["--userns", "keep-id"] # drop all linux kernel capabilities security_args += ["--cap-drop", "all"]