wrong permissions on idmapped volumes

[M1cha]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

#16249 enabled the idmap option for volumes.
podman still chowns the volume to the containers uid/gid though which causes the container to not be able to use it

Steps to reproduce the issue:

1. podman run --rm -it --mount type=volume,src=testvol,dst=/mnt,rw,idmap alpine touch /mnt/test

Describe the results you received:
touch: /mnt/test: Permission denied

Describe the results you expected:
That it created the file successfully

Additional information you deem important (e.g. issue happens only occasionally):
inside the container:

# ls -lah /mnt/
total 12K
drwxr-xr-x    2 nobody   nobody      4.0K Nov 22 13:08 .
dr-xr-xr-x    1 root     root        4.0K Dec  3 15:18 ..

outside:

# ls -lah /var/lib/containers/storage/volumes/testvol/
total 12K
drwx------.  3 165534 165534 4.0K Dec  3 15:08 .
drwx--x--x. 20 root   root   4.0K Dec  3 15:10 ..
drwxr-xr-x.  2 165534 165534 4.0K Nov 22 13:08 _data

podman volume inspect testvol before start:

[
     {
          "Name": "testvol",
          "Driver": "local",
          "Mountpoint": "/var/lib/containers/storage/volumes/testvol/_data",
          "CreatedAt": "2022-12-03T15:22:42.975413444Z",
          "Labels": {},
          "Scope": "local",
          "Options": {},
          "MountCount": 0,
          "NeedsCopyUp": true,
          "NeedsChown": true
     }
]

podman volume inspect testvol after start:

[
     {
          "Name": "testvol",
          "Driver": "local",
          "Mountpoint": "/var/lib/containers/storage/volumes/testvol/_data",
          "CreatedAt": "2022-12-03T15:22:42.975413444Z",
          "Labels": {},
          "Scope": "local",
          "Options": {},
          "UID": 165534,
          "GID": 165534,
          "MountCount": 0,
          "NeedsCopyUp": true
     }
]

Output of podman version:

Client:       Podman Engine
Version:      4.4.0-dev
API Version:  4.4.0-dev
Go Version:   go1.19.3
Built:        Sat Dec  3 11:15:42 2022
OS/Arch:      linux/arm64

Output of podman info:
Built from 480c7fb

host:
  arch: arm64
  buildahVersion: 1.29.0-dev
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.5-1.fc37.aarch64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.5, commit: '
  cpuUtilization:
    idlePercent: 98.19
    systemPercent: 1.02
    userPercent: 0.78
  cpus: 6
  distribution:
    distribution: fedora
    variant: coreos
    version: "37"
  eventLogger: journald
  hostname: homeserver
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.0.9-300.fc37.aarch64
  linkmode: dynamic
  logDriver: journald
  memFree: 2121572352
  memTotal: 3994021888
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.7-1.fc37.aarch64
    path: /usr/bin/crun
    version: |-
      crun version 1.7
      commit: 40d996ea8a827981895ce22886a9bac367f87264
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-8.fc37.aarch64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 17179865088
  swapTotal: 17179865088
  uptime: 2h 25m 17.00s (Approximately 0.08 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 474196275200
  graphRootUsed: 3465912320
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 5
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.4.0-dev
  Built: 1670066142
  BuiltTime: Sat Dec  3 11:15:42 2022
  GitCommit: ""
  GoVersion: go1.19.3
  Os: linux
  OsArch: linux/arm64
  Version: 4.4.0-dev

[giuseppe]

was the volume created as part of the run command or was it already existing?

[giuseppe]

nevermind my last comment, I am able to reproduce the issue locally

[giuseppe]

PR here: #16739