Method to opt-out `force_mask` when image is stored on NFS

[hehaoqian]

Podman version: 4.9.4
distro: RHEL 8.10

When pulling image into a NFS v4.2 drive with xattr enabled,
there is the following warning

WARN[0000] Network file system detected as backing store.  Enforcing overlay option `force_mask="700"`.  Add it to storage.conf to silence this warning

And I found the following code in this repository

		if unshare.IsRootless() && isNetworkFileSystem(fsMagic) && opts.forceMask == nil {
			m := os.FileMode(0o700)
			opts.forceMask = &m
			logrus.Warnf("Network file system detected as backing store.  Enforcing overlay option `force_mask=\"%o\"`.  Add it to storage.conf to silence this warning", m)
		}

---

Anyway to opt-out force_mask, so I can run the image with non-root user? (uid=1000, gid=1000)

The problems:

1. force_mask = 0700, and run the image with non-root user -> Permission denied when trying to run any program
2. force_mask = 0777, and run the image with non-root user -> Okay to run program, but sudo does not work due to missing setuid permission bit, and /etc/sudoers is world readable, and everything should be owned by the non-root user, owned by root instead.

[mtrmac]

Thanks for your report.

This is a development repository focusing on the future versions; for RHEL support, please reach out to Red Hat via the standard support channels, perhaps starting at https://access.redhat.com .

---

In that situation, the user account does not have root permissions; would it actually work if you opted out of force_mask, without any privileges to create files as different user accounts? I’d expect that to fail. I suppose you can try yourself, by commenting out that block of code.

I think the core of the problem is something else — “the problems” indicate that the data stored in user.containers.override_stat is not being visible inside containers, for some reason. An unexpected mount_program (old, with a version mismatch) perhaps?!