Wrong directory permissions and ownership on root of volume mount path after volume import

[shunkica]

Issue Description

Unable to start a container after volume export / import because of incorrect ownership and permissions on the root of the volume mount path.

The volume was mounted to /var/lib/postgresql/14/main and postgres would not start because /var/lib/postgresql/14/main was owned by root:root. I had to do podman unshare then manually change the owner and permissions of the ~/.local/share/containers/storage/volumes/foo/_data directory to get the container to work.

Steps to reproduce the issue

Steps to reproduce the issue

1. podman volume export foo -o foo.tar
2. podman system reset
3. podman volume create foo
4. podman volume import foo foo.tar

Describe the results you received

The root directory of the volume ( or "_data" on local fs) has the default permissions of 755 and is owned by "myuser:myuser" outside the container and "root:root" inside the container, regardless of the original owner and permissions.

Describe the results you expected

I expected everything to be preserved through the export / import process.

podman info output

host:
  arch: amd64
  buildahVersion: 1.38.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-1.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: 5859d6167f22954414ce804d3f2ae9cf6208f929'
  cpuUtilization:
    idlePercent: 99.47
    systemPercent: 0.22
    userPercent: 0.31
  cpus: 4
  databaseBackend: sqlite
  distribution:
    distribution: rocky
    version: "9.5"
  eventLogger: journald
  freeLocks: 2042
  hostname: borg.plin
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 3005
      size: 1
    - container_id: 1
      host_id: 624288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 3003
      size: 1
    - container_id: 1
      host_id: 624288
      size: 65536
  kernel: 5.14.0-503.23.2.el9_5.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 237125632
  memTotal: 12272603136
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.el9.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.el9.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: /usr/bin/crun
    package: crun-1.19.1-1.el9.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/user/3003/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20250121.g4f2c8e7-3.el9.x86_64
    version: |
      pasta 0^20250121.g4f2c8e7-3.el9.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/3003/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.1-1.el9.x86_64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 12883312640
  swapTotal: 12883849216
  uptime: 33h 7m 53.00s (Approximately 1.38 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /opt/traccar/.config/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 3
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /opt/traccar/.local/share/containers/storage
  graphRootAllocated: 407867219968
  graphRootUsed: 66529746944
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /run/user/3003/containers
  transientStore: false
  volumePath: /opt/traccar/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.2
  Built: 1738675282
  BuiltTime: Tue Feb  4 14:21:22 2025
  GitCommit: ""
  GoVersion: go1.23.4 (Red Hat 1.23.4-1.el9)
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[mheon]

I think what's happening here is the usual chown/permission adjustment that would happen with the volume on being mounted into a container isn't happening because the volume is not empty. Can you include an ls -al of /var/lib/postgresql/14/main on a container with an empty volume mounted to it, and on a container with the volume with imported contents mounted to it?