Podman ssh permissions problem

[alainseys]

Enviroment:

• OS: Windows 11
• Features: WSL (Debian)
• Podman: Installed on WSL
• Devtools: vscode

Hello,

I am just getting started with podman as replacement for our development stack on ansible.
But during the first test we encouter a problem with the injection of the ssh keys in the container.

We have our container configured with these lines in our Dockerfile

COPY ../private_key /workspaces/demo/private_key
RUN chmod 600 /workspaces/demo/private_key
RUN echo "eval \$(ssh-agent -s)" >> /etc/bash.bashrc && \
echo "ssh-add /workspaces/demo/private_key" >> /etc/bash.bashrc

But the container has not set the permissions this is what the cli gives as output

Permissions 0777 for '/workspaces/demo/private_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
root@ansible-dev-container:/workspaces/demo# ls -al | grep private_key 
-rwxrwxrwx 1 root root 1773 May 28 07:51 private_key
root@ansible-dev-container:/workspaces/demo# chmod 600 private_key 
root@ansible-dev-container:/workspaces/demo# ls -al | grep private_key 
-rwxrwxrwx 1 root root 1773 May 28 07:51 private_key

i dont if it hase something to do with the devcontainer.json but here is the file

{
  "name": "ansible-dev-container-podman",
  "build": {
    "context": "..",
    "dockerfile": "Dockerfile"
  },
  //"image": "ghcr.io/ansible/community-ansible-dev-tools:latest",
  "containerUser": "root",
  "postCreateCommand": "chmod +x /workspaces/demo/scripts/*.sh",
  "runArgs": [
    "--cap-add=CAP_MKNOD",
    "--cap-add=NET_ADMIN",
    "--cap-add=SYS_ADMIN",
    "--cap-add=SYS_RESOURCE",
    "--device",
    "/dev/fuse",
    "--security-opt",
    "seccomp=unconfined",
    "--security-opt",
    "label=disable",
    "--security-opt",
    "apparmor=unconfined",
    "--security-opt",
    "unmask=/sys/fs/cgroup",
    "--userns=host",
    "--hostname=ansible-dev-container"
  ],
  "customizations": {
    "vscode": {
      "extensions": [
        "redhat.ansible",
        "oderwat.indent-rainbow",
        "srobert0560.sr-ansible-snippets",
        "donjayamanne.githistory",
        "eamodio.gitlens",
        "ryanolsonx.solarized",
        "emmanuelbeziat.vscode-great-icons",
        "ms-azuretools.vscode-docker"
      ]
    }
  }
}

[eriksjolund]

Is /workspaces/demo a volume? One theory could be that you bind-mount a directory from a filesystem that does not support traditional Unix permissions.

A symptom of that could be

root@ansible-dev-container:/workspaces/demo# chmod 600 private_key 
root@ansible-dev-container:/workspaces/demo# ls -al | grep private_key 
-rwxrwxrwx 1 root root 1773 May 28 07:51 private_key

(The command chmod 600 private_key succeeds but afterwards the file private_key has permission 777)

Maybe it would work if you changed the filepath /workspaces/demo/private_key to be outside
/workspaces/demo?

[alainseys]

I will give this a try i keep you updated

[alainseys]

Hello ,

Sorry for the late answers but due to some holiday was not able to test this faster.
Now i have tested this to move the private_key outside of workspace/demo and this worked as a charm.

Thanks for the help