2

I have the following system:

Fedora 41
podman-compose version 1.3.0
podman version 5.3.2

and I followed this tutorial for rootless podman. basically pasta for rootless networking, and the /etc/subuid and /etc/subgid configuration.

Then I tried the following steps:

# creating directories
mkdir -p ~/podman-volumes/mongo/data ~/podman-volumes/mongo/logs
mkdir -p ~/podman-volumes/mongo/config/

# create mongod.conf w/ contents
vim ~/podman-volumes/mongo/config/mongod.conf

storage:
  dbPath: /data/db

systemLog:
  destination: file
  path: /var/log/mongodb/mongo.log
  logAppend: true

net:
  bindIp: 0.0.0.0
  port: 27017

# create directory w/ compose file
mkdir -p ~/mongodb/
vim ~/mongodb/docker-compose.yml

services:
  mongodb:
    image: mongo:latest
    container_name: mongodb
    restart: always
    ports:
      - "27017:27017"
    environment:
      MONGO_INITDB_ROOT_USERNAME: admin
      MONGO_INITDB_ROOT_PASSWORD: secret
    volumes:
      - ~/podman-volumes/mongo/data:/data/db
      - ~/podman-volumes/mongo/logs:/var/log/mongodb
      - ~/podman-volumes/mongo/config/mongod.conf:/etc/mongod.conf:ro
    command: ["--config", "/etc/mongod.conf"]

All directories and files have my current user as owner.

when I first executed podman-compose up I get the error chown: changing ownership of '/data/db': Permission denied - I then somewhere found that mongodb is running with user ID 999 inside the container, and I could probably fix it with the following command:

podman unshare chown -R 999:999 ~/podman-volumes/mongo/data

This solved the one mentioned problem, but I still get find: '/data/db': Permission denied. Somehow this should have been solved by the podman unshare command, but it didn't.

I tried adding user: "1000:1000" (which is my current user ID) to the compose file, still no luck.

my question(s):

  • what do I need to do to get MongoDB running, with my custom configuration?
  • how can I determine which user ID is used in a container ?

Just a note: I'm having the same problems with lots of other images (e.g. Elastic, Logstash) when I provide a custom configuration file and I want the logs to be stored locally, I always get permission denied

Improve this question
2
  • 1
    for the one who wants to close - would be nice to know why . thanks Commented Feb 25 at 7:37
  • 1
    I would suggest not using ~ in any folder specification. It's the current user home folder and may change and looks like you refer to wrong user. Better use absolute path names. Commented Feb 25 at 18:03

1 Answer 1

Reset to default
0

I run MongoDB rootless with Podman successfully using a Quadlet unit instead of podman-compose. The key part is that the official mongo image expects to run as UID 999 inside the container, and with rootless Podman you need to map that UID explicitly.

Here’s a working .container unit:

[Unit]
Description=Komodo MongoDB

[Container]
Image=docker.io/mongo:8.0.13@sha256:7acbcf333608e67bc140821d31144dcc579e1479d12d5292d67c74b470082a6a
ContainerName=komodo_mongo_1
Network=komodo.network
Label=komodo.skip=
PublishPort=27017:27017

# Run as the same UID/GID that MongoDB expects
User=999:999

Mount=type=bind,src=/mnt/nfs/komodo/mongo/data,dst=/data/db
Mount=type=bind,src=/mnt/nfs/komodo/mongo/config,dst=/data/configdb
Environment=MONGO_INITDB_ROOT_USERNAME=admin
Secret=komodo_mongo_1_passwd,type=env,target=MONGO_INITDB_ROOT_PASSWORD

# Explicit UID/GID mapping for rootless Podman
PodmanArgs=--uidmap +999:@999:1 --gidmap +999:@999:1

[Service]
Restart=always

[Install]
WantedBy=default.target

And in /etc/subuid and /etc/subgid you need an entry so that UID 999 is mapped for your rootless user:

[...]
yourusername:999:1

And the directory:

chown -R 999:999 /mnt/nfs/komodo/mongo
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Typically a uidmap and gidmap solution should not depend on the specific subordinate UID and GID on the host. The need for adding yourusername:999:1 to /etc/subuid and /etc/subgid would mean that only one user on the system can be set up like this. I think it should be possible to avoid the @ syntax in the second field to make the solution more flexible.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.