Shared mounts with UID/GID mapping #12154
Description
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind feature
Description
We are running multiple rootfull containers with --uidmap & --gidmap, each with disjoint ranges from other containers. Overtime the goal is to migrate to fully rootless containers and I think the issue also applies there.
The problem we want to solve is that we want to be able to mount the same directory into multiple containers and let each of them use it as if the owners are all within their namespace. I.e. the mount should have a thin layer that fakes UID/GID of the file owners for each container, but the actual files are not duplicated, I believe something similar is done with container image files when starting the container?
Ideally this would be an option to --volume, similar to U, but that does not modify the host filesystem.
Showcasing the wanted behavior with commands:
host $ ls -ln /data
total 0
drwxr-xr-x. 5 1000 1000 41 Sep 24 10:13 dir1
drwxr-xr-x. 5 1000 1000 63 Oct 29 17:45 dir2
sudo podman run -d --name container1 --net podman --uidmap 0:100000:65536 --gidmap 0:100000:65536 --entrypoint ls -v /data:/data:z centos:8 -ln /data
total 0
drwxr-xr-x. 5 1000 1000 41 Sep 24 10:13 dir1
drwxr-xr-x. 5 1000 1000 63 Oct 29 17:45 dir2
sudo podman run -d --name container2 --net podman --uidmap 0:200000:65536 --gidmap 0:100000:65536 --entrypoint ls -v /data:/data:z centos:8 -ln /data
total 0
drwxr-xr-x. 5 1000 1000 41 Sep 24 10:13 dir1
drwxr-xr-x. 5 1000 1000 63 Oct 29 17:45 dir2
The current behavior is that the ls in the container will show IDs 65534.