Undefined [3534743332] Upstream Reporter: Dwayne Bradley
Upstream issue status: Open
Upstream description:
Issue Description
When using the Docker SDK to call the CopyToContainer API through the podman.sock, Podman is not preserving the UID and GID of the folders and files in the TAR archive even when passing the CopyUIDGID: true option. Every folder and file are being copied into the container as root:root.
Steps to reproduce the issue
Steps to reproduce the issue
- Clone test code - https://github.com/dwaynebradley/docker-copytocontainer-example.git
- The sample code calls CopyToContainer API and passes the CopyUIDGID: true in the CopyToContainerOptions
- View contents of the tar file to see permissions that have been set on the example folder and file - tar -tvf test-configs.tar
- configs will be owned by 1001:1001
- configs/test-config-file.txt will be owned by 1002:1002
- Start Podman systemd service - systemctl --user enable --now podman.service
- export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/podman/podman.sock
- Run the test code to create the container that copies the contents of test-configs.tar into the container - go run main.go
Describe the results you received
- Exec into the container that was created by the sample code - podman exec -ti copy-uidgid-test /bin/sh
- Check ownership on the contents copied into the container
- stat /configs - it will be owned by root:root
- stat /configs/test-config-file.txt - if will also be owned by root:root
Describe the results you expected
I expected both the folder and file to have the same ownership as what is stored in the test-configs.tar file.
If I run this exact same code using Docker instead, the ownership on both the file and folder are retained inside of the container correctly.
podman info output
host: arch: amd64 buildahVersion: 1.41.5 cgroupControllers: - cpuset - cpu - io - memory - pids cgroupManager: systemd cgroupVersion: v2 conmon: package: conmon-1:2.1.13-1 path: /usr/bin/conmon version: 'conmon version 2.1.13, commit: 82de887596ed8ee6d9b2ee85e4f167f307bb569b' cpuUtilization: idlePercent: 99.07 systemPercent: 0.46 userPercent: 0.47 cpus: 16 databaseBackend: sqlite distribution: distribution: arch version: unknown emulatedArchitectures: - linux/arm - linux/arm64 - linux/loong64 - linux/mips64 - linux/ppc - linux/ppc64 - linux/ppc64le - linux/riscv32 - linux/riscv64 - linux/s390x eventLogger: journald freeLocks: 2039 hostname: USRA1WHP6192208 idMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 kernel: 6.6.87.2-microsoft-standard-WSL2 linkmode: dynamic logDriver: journald memFree: 14528659456 memTotal: 25199562752 networkBackend: netavark networkBackendInfo: backend: netavark dns: package: aardvark-dns-1.16.0-1 path: /usr/lib/podman/aardvark-dns version: aardvark-dns 1.16.0 package: netavark-1.16.1-1 path: /usr/lib/podman/netavark version: netavark 1.16.1 ociRuntime: name: crun package: crun-1.24-1 path: /usr/bin/crun version: |- crun version 1.24 commit: 54693209039e5e04cbe3c8b1cd5fe2301219f0a1 rundir: /run/user/1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL os: linux pasta: executable: /usr/sbin/pasta package: passt-2025_09_19.623dbf6-1 version: | pasta 2025_09_19.623dbf6 Copyright Red Hat GNU General Public License, version 2 or later <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. remoteSocket: exists: true path: /run/user/1000/podman/podman.sock rootlessNetworkCmd: pasta security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SET rootless: true seccompEnabled: true seccompProfilePath: /etc/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: "" package: "" version: "" swapFree: 6442450944 swapTotal: 6442450944 uptime: 79h 49m 42.00s (Approximately 3.29 days) variant: "" plugins: authorization: null log: - k8s-file - none - passthrough - journald network: - bridge - macvlan - ipvlan volume: - local registries: search: - docker.io store: configFile: /home/dwayne/.config/containers/storage.conf containerStore: number: 1 paused: 0 running: 1 stopped: 0 graphDriverName: overlay graphOptions: {} graphRoot: /home/dwayne/.local/share/containers/storage graphRootAllocated: 1081101176832 graphRootUsed: 17560457216 graphStatus: Backing Filesystem: extfs Native Overlay Diff: "true" Supports d_type: "true" Supports shifting: "false" Supports volatile: "true" Using metacopy: "false" imageCopyTmpDir: /var/tmp imageStore: number: 4 runRoot: /run/user/1000/containers transientStore: false volumePath: /home/dwayne/.local/share/containers/storage/volumes version: APIVersion: 5.6.2 Built: 1759398423 BuiltTime: Thu Oct 2 05:47:03 2025 GitCommit: 9dd5e1ed33830612bc200d7a13db00af6ab865a4 GoVersion: go1.25.1 X:nodwarf5 Os: linux OsArch: linux/amd64 Version: 5.6.2Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
For the "Privileged or Rootless" question...I have tried it both ways with Podman so I just left the default option of "None" selected
Upstream URL: https://github.com/containers/podman/issues/27332
- links to
