Update Podman run command for user namespace to map into 1000:1000

[yarikoptic]

Summary

I am not 100% sure this is a correct way, but in my case with podman 5.4.2 on Debian trixie I found that inside I do have my UID (some other number) mapped to itself but not to the 1000. So, --userns=keep-id would likely work for anyone with "default first" account but likely to not work for anyone with UID not 1000. With proposed here settings we seems get proper mapping done of my UID:GID to the internal one and permissions are ok, and run of (older, 2 mo) container works without a complaint about db.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• Documentation update

Summary by CodeRabbit

• Documentation
  • Enhanced permission error guidance for Podman users with explicit UID/GID mapping instructions (--userns=keep-id:uid=1000,gid=1000) for improved setup clarity and reduced configuration confusion.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b2516acb-b59f-4da0-aa3d-99a429025a31

📥 Commits

Reviewing files that changed from the base of the PR and between 07a9320 and 033afe0.

📒 Files selected for processing (1)

• src/setup_auth.py

---

📝 Walkthrough

Walkthrough

Updated the Podman container run command example in the permission-error help text function to specify an explicit UID/GID mapping (--userns=keep-id:uid=1000,gid=1000) instead of the generic --userns=keep-id flag.

Changes

Permission Error Guidance Update

Layer / File(s)	Summary
Help Text / Error Guidance src/setup_auth.py	The _print_permission_error_help() function's Podman example is updated to use explicit UID/GID mapping in the --userns flag for improved clarity.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides summary and type of change but is largely incomplete. Missing sections: Database Changes, Data Consistency Checklist, Testing, Security Checklist, and Deployment Notes.	Complete missing checklist sections. At minimum: confirm no database changes, that tests pass locally, and note any deployment considerations for the Podman configuration change.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and specifically describes the main change: updating the Podman user namespace configuration to map to 1000:1000.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.07%. Comparing base (07a9320) to head (033afe0).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #140   +/-   ##
=======================================
  Coverage   94.07%   94.07%           
=======================================
  Files          21       21           
  Lines        6127     6127           
=======================================
  Hits         5764     5764           
  Misses        363      363           

Files with missing lines	Coverage Δ
src/setup_auth.py	96.46% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[yarikoptic]

dang, actually I thought it worked given my prior explorations,

here -- we get odd unique UID when mapped back:

$> podman run --userns=keep-id -it --rm --env-file .env -e SESSION_NAME=onerussian -v $PWD/ses-onerussian/:/data/:Z drumsergio/telegram-archive:latest touch /data/touch
ERRO[0000] User-selected graph driver "overlay" overwritten by graph driver "vfs" from database - delete libpod local files ("/home/yoh/.local/share/containers/storage") to resolve.  May prevent use of images created by other tools

$> ls -l ses-onerussian
total 4
drwxr-xr-x 1 yoh     1280648 10 Feb  3 17:03 backups/
drwxr-xr-x 1 yoh     1280648 36 May  2 21:40 session/
-rw-r--r-- 1 1280648 1280648  0 May  3 10:54 touch

whenever here all good and inside container we touch just fine!

$> podman run --userns=keep-id:uid=1000,gid=1000 -it --rm --env-file .env -e SESSION_NAME=onerussian -v $PWD/ses-onerussian/:/data/:Z drumsergio/telegram-archive:latest bash -c 'touch /data/telegram_backup.db; ls -l /data/'
ERRO[0000] User-selected graph driver "overlay" overwritten by graph driver "vfs" from database - delete libpod local files ("/home/yoh/.local/share/containers/storage") to resolve.  May prevent use of images created by other
 tools 
total 4
drwxr-xr-x 1 telegram     1001 10 Feb  3 22:03 backups
drwxr-xr-x 1 telegram     1001 36 May  3 01:40 session
-rw-r--r-- 1 telegram telegram  0 May  4 11:58 telegram_backup.db

$> ls -l ses-onerussian 
total 4
drwxr-xr-x 1 yoh 1280648 10 Feb  3 17:03 backups/
drwxr-xr-x 1 yoh 1280648 36 May  2 21:40 session/
-rw-r--r-- 1 yoh yoh      0 May  4 07:58 telegram_backup.db

but found that I still get the same error:

mkdir -p ses-onerussian
podman run --userns=keep-id:uid=1000,gid=1000 -it --rm --env-file .env -e SESSION_NAME=onerussian -v $PWD/ses-onerussian/:/data/:Z drumsergio/telegram-archive:latest python -m src.telegram_backup
ERRO[0000] User-selected graph driver "overlay" overwritten by graph driver "vfs" from database - delete libpod local files ("/home/yoh/.local/share/containers/storage") to resolve.  May prevent use of images created by other tools
2026-05-03 15:04:38 - src.db.base - INFO - Initializing database: sqlite+aiosqlite:///data/telegram_backup.db
2026-05-03 15:04:48 - src.db.base - INFO - Database initialized successfully (SQLite)
2026-05-03 15:04:48 - __main__ - INFO - TelegramBackup initialized
2026-05-03 15:04:48 - src.db.base - INFO - Database connections closed
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/app/src/telegram_backup.py", line 1316, in <module>
    asyncio.run(run_backup(config))
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/base_events.py", line 654, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/app/src/telegram_backup.py", line 1301, in run_backup
    await backup.connect()
  File "/app/src/telegram_backup.py", line 110, in connect
    self.client = TelegramClient(
                  ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/telethon/client/telegrambaseclient.py", line 291, in __init__
    session = SQLiteSession(str(session))
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/telethon/sessions/sqlite.py", line 47, in __init__
    c = self._cursor()
        ^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/telethon/sessions/sqlite.py", line 242, in _cursor
    self._conn = sqlite3.connect(self.filename,
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sqlite3.OperationalError: unable to open database file
make: *** [Makefile:3: backup] Error 1

[yarikoptic]

I had spotted some remaining (I guess I had run once without mapping uid/gid) group ownerships -- so fixed them and reran and got the same

$> sudo chown yoh:yoh -R *

$> ls -l ses-onerussian
total 4
drwxr-xr-x 1 yoh yoh 10 Feb  3 17:03 backups/
drwxr-xr-x 1 yoh yoh 36 May  2 21:40 session/

$> datalad run make backup
[INFO   ] == Command start (output follows) =====
mkdir -p ses-onerussian
podman run --userns=keep-id:uid=1000,gid=1000 -it --rm --env-file .env -e SESSION_NAME=onerussian -v $PWD/ses-onerussian/:/data/:Z drumsergio/telegram-archive:latest python -m src.telegram_backup
ERRO[0000] User-selected graph driver "overlay" overwritten by graph driver "vfs" from database - delete libpod local files ("/home/yoh/.local/share/containers/storage") to resolve.  May prevent use of images created by other tools
2026-05-04 12:01:29 - src.db.base - INFO - Initializing database: sqlite+aiosqlite:///data/telegram_backup.db
2026-05-04 12:01:30 - src.db.base - INFO - Database initialized successfully (SQLite)
2026-05-04 12:01:30 - __main__ - INFO - TelegramBackup initialized
2026-05-04 12:01:30 - src.db.base - INFO - Database connections closed
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/app/src/telegram_backup.py", line 1316, in <module>
    asyncio.run(run_backup(config))
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/base_events.py", line 654, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/app/src/telegram_backup.py", line 1301, in run_backup
    await backup.connect()
  File "/app/src/telegram_backup.py", line 110, in connect
    self.client = TelegramClient(
                  ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/telethon/client/telegrambaseclient.py", line 291, in __init__
    session = SQLiteSession(str(session))
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/telethon/sessions/sqlite.py", line 47, in __init__
    c = self._cursor()
        ^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/telethon/sessions/sqlite.py", line 242, in _cursor
    self._conn = sqlite3.connect(self.filename,
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
sqlite3.OperationalError: unable to open database file
make: *** [Makefile:3: backup] Error 1
[INFO   ] == Command exit (modification check follows) =====
[INFO   ] The command had a non-zero exit code. If this is expected, you can save the changes with 'datalad save -d . -r -F .git/COMMIT_EDITMSG'
run(error): /mnt/btrfs/onerussian.com/sourcedata/src-telegram (dataset) [make backup]
datalad run make backup  6.30s user 14.76s system 47% cpu 44.799 total

but oddly it first said that all good with DB:

2026-05-04 12:01:29 - src.db.base - INFO - Initializing database: sqlite+aiosqlite:///data/telegram_backup.db
2026-05-04 12:01:30 - src.db.base - INFO - Database initialized successfully (SQLite)
2026-05-04 12:01:30 - __main__ - INFO - TelegramBackup initialized
2026-05-04 12:01:30 - src.db.base - INFO - Database connections closed

nd error comes later -- may be while just operating on that closed DB? anyways... now I am pulling newer container to see if potentially some related issue was addressed since then... overall I still feel that proposed changes here are correct but above error somewhat contradicts that statement.

[yarikoptic]

with newer version situation is similar

(git)smaug:/mnt/btrfs/onerussian.com/sourcedata/src-telegram[master]git
$> datalad run duct make backup           
[INFO   ] == Command start (output follows) ===== 
2026-05-04T08:58:39-0400 [INFO    ] con-duct: python-dotenv not installed, skipping .env file loading
2026-05-04T08:58:39-0400 [INFO    ] con-duct: duct 0.18.0 is executing 'make backup'...
2026-05-04T08:58:39-0400 [INFO    ] con-duct: Log files will be written to .duct/logs/2026.05.04T08.58.39-3723964_
mkdir -p ses-onerussian
podman run --userns=keep-id:uid=1000,gid=1000 -it --rm --env-file .env -e SESSION_NAME=onerussian -v $PWD/ses-onerussian/:/data/:Z drumsergio/telegram-archive:latest python -m src.telegram_backup
time="2026-05-04T08:58:39-04:00" level=error msg="User-selected graph driver \"overlay\" overwritten by graph driver \"vfs\" from database - delete libpod local files (\"/home/yoh/.local/share/containers/storage\") to resolve.  May prevent use of images created by other tools"
No database found yet - skipping migrations (will be created automatically)
2026-05-04 12:58:53 - src.db.base - INFO - Initializing database: sqlite+aiosqlite:///data/telegram_backup.db
2026-05-04 12:58:54 - src.db.base - INFO - Database initialized successfully (SQLite)
2026-05-04 12:58:54 - __main__ - INFO - TelegramBackup initialized
2026-05-04 12:58:54 - src.db.base - INFO - Database connections closed
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/app/src/telegram_backup.py", line 2076, in <module>
    main()
    ~~~~^^
  File "/app/src/telegram_backup.py", line 2071, in main
    return asyncio.run(run_backup(config))
           ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.14/asyncio/runners.py", line 204, in run
    return runner.run(main)
           ~~~~~~~~~~^^^^^^
  File "/usr/local/lib/python3.14/asyncio/runners.py", line 127, in run
    return self._loop.run_until_complete(task)
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
  File "/usr/local/lib/python3.14/asyncio/base_events.py", line 719, in run_until_complete
    return future.result()
           ~~~~~~~~~~~~~^^
  File "/app/src/telegram_backup.py", line 2021, in run_backup
    await backup.connect()
  File "/app/src/telegram_backup.py", line 242, in connect
    self.client = TelegramClient(
                  ~~~~~~~~~~~~~~^
        self.config.session_path,
        ^^^^^^^^^^^^^^^^^^^^^^^^^
    ...<2 lines>...
        **self.config.get_telegram_client_kwargs(),
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/usr/local/lib/python3.14/site-packages/telethon/client/telegrambaseclient.py", line 297, in __init__
    session = SQLiteSession(str(session))
  File "/usr/local/lib/python3.14/site-packages/telethon/sessions/sqlite.py", line 48, in __init__
    c = self._cursor()
  File "/usr/local/lib/python3.14/site-packages/telethon/sessions/sqlite.py", line 259, in _cursor
    self._conn = sqlite3.connect(self.filename,
                 ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
                                 check_same_thread=False)
                                 ^^^^^^^^^^^^^^^^^^^^^^^^
sqlite3.OperationalError: unable to open database file
make: *** [Makefile:3: backup] Error 1
2026-05-04T08:58:58-0400 [INFO    ] con-duct: Summary:
Exit Code: 2
Command: make backup
Log files location: .duct/logs/2026.05.04T08.58.39-3723964_
Wall Clock Time: 18.752 sec
Memory Peak Usage (RSS): 70.2 MB
Memory Average Usage (RSS): 67.2 MB
Virtual Memory Peak Usage (VSZ): 3.0 GB
Virtual Memory Average Usage (VSZ): 2.9 GB
Memory Peak Percentage: 0.00%
Memory Average Percentage: 0.00%
CPU Peak Usage: 74.20%
[INFO   ] == Command exit (modification check follows) ===== 
[INFO   ] The command had a non-zero exit code. If this is expected, you can save the changes with 'datalad save -d . -r -F .git/COMMIT_EDITMSG' 

[GeiserX]

Thanks @yarikoptic! Great catch — the explicit UID/GID mapping is strictly better and works for any host UID, not just 1000. Merged and released in v7.7.2.