[GH-ISSUE #115] netbootxyz not behaving well with rootless podman quadlet and squashed NFS shares #33

New issue

Open

opened 2026-02-27 14:47:30 +03:00 by kerem · 1 comment

kerem commented 2026-02-27 14:47:30 +03:00

Owner

Copy link

Originally created by @Zer0PointModule on GitHub (Dec 6, 2025).
Original GitHub issue: https://github.com/netbootxyz/docker-netbootxyz/issues/115

The netbootxyz container tries to chown everything to root on boot:

COPY --chown=root:root root/ /

When using rootless Podman the root UID and GID are actually mapped to SUBID's of the rootless user. when using NFS and squashing all users to a certain user and group id, the container then loses control over it's own folders because all further actions are mapped to the same userid and groupid and those don't have permission to change ownership of a folder owned by a random SUBID.

Other steps later have issues (no longer have the permission) to chown it back to the proper passed PUID and PGID because it can't change permissions of the folder it just tried to chown to "root" any longer.

This is indeed an edge case problem due to the use of NFS permission squashing (https://www.opswat.com/docs/mdss/3.4.3/knowledge-base/what-is-user-squashing-for-network-file-system-nfs)

Still if this forced chowning wouldn't happen there also wouldn't be any problems even with a more obscure setup like this.

Originally created by @Zer0PointModule on GitHub (Dec 6, 2025). Original GitHub issue: https://github.com/netbootxyz/docker-netbootxyz/issues/115 The netbootxyz container tries to chown everything to root on boot: ``` COPY --chown=root:root root/ / ``` When using rootless Podman the root UID and GID are actually mapped to SUBID's of the rootless user. when using NFS and squashing all users to a certain user and group id, the container then loses control over it's own folders because all further actions are mapped to the same userid and groupid and those don't have permission to change ownership of a folder owned by a random SUBID. Other steps later have issues (no longer have the permission) to chown it back to the proper passed PUID and PGID because it can't change permissions of the folder it just tried to chown to "root" any longer. This is indeed an edge case problem due to the use of NFS permission squashing (https://www.opswat.com/docs/mdss/3.4.3/knowledge-base/what-is-user-squashing-for-network-file-system-nfs) Still if this forced chowning wouldn't happen there also wouldn't be any problems even with a more obscure setup like this.

kerem commented 2026-02-27 14:47:31 +03:00

Author

Owner

Copy link

@Abarth91 commented on GitHub (Jan 31, 2026):

I have the same problem. Is there a workaround until this is fixed?

<!-- gh-comment-id:3827882063 --> @Abarth91 commented on GitHub (Jan 31, 2026): I have the same problem. Is there a workaround until this is fixed?

kerem referenced this issue 2026-02-27 14:47:37 +03:00

[PR #33] [MERGED] Update to Alpine 3.17 #56

kerem referenced this issue 2026-03-01 18:33:40 +03:00

[PR #33] [MERGED] Update to Alpine 3.17 #176

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/alpine-3.x

renovate/actions-github-script-9.x

feature/secureboot-support

ci/native-arm64-builds

ci-workflow-fix

0.7.6-nbxyz18

0.7.6-nbxyz17

0.7.6-nbxyz16

0.7.6-nbxyz13

0.7.6-nbxyz12

0.7.6-nbxyz11

0.7.6-nbxyz10

0.7.6-nbxyz9

0.7.6-nbxyz7

0.7.6-nbxyz6

0.7.6-nbxyz4

0.7.6-nbxyz3

0.7.6-nbxyz2

0.7.6-nbxyz1

0.7.5-nbxyz9

0.7.5-nbxyz8

0.7.5-nbxyz7

0.7.5-nbxyz6

0.7.5-nbxyz5

0.7.5-nbxyz4

0.7.5-nbxyz3

0.7.5-nbxyz2

0.7.4-nbxyz5

0.7.5-nbxyz1

0.7.4-nbxyz4

0.7.4-nbxyz3

0.7.4-nbxyz2

0.7.3-nbxyz5

0.7.4-nbxyz1

0.7.3-nbxyz4

0.7.3-nbxyz3

0.7.3-nbxyz2

0.7.1-nbxyz5

0.7.3-nbxyz1

0.7.2-nbxyz1

0.7.1-nbxyz4

0.7.1-nbxyz3

0.7.1-nbxyz2

0.7.1-nbxyz1

0.7.0-nbxyz6

0.7.0-nbxyz5

0.7.0-nbxyz4

0.7.0-nbxyz3

0.7.0-nbxyz2

0.7.0-nbxyz1

0.6.9-nbxyz2

0.6.9-nbxyz1

0.6.8-nbxyz6

0.6.8-nbxyz5

0.6.8-nbxyz4

0.6.8-nbxyz3

0.6.8-nbxyz2

0.6.8-nbxyz1

0.6.7-nbxyz31

0.6.7-nbxyz25

0.6.7-nbxyz24

0.6.7-nbxyz23

0.6.7-nbxyz22

0.6.7-nbxyz21

0.6.7-nbxyz20

0.6.7-nbxyz19

0.6.7-nbxyz18

0.6.7-nbxyz17

0.6.7-nbxyz16

0.6.7-nbxyz15

0.6.7-nbxyz14

0.6.7-nbxyz13

0.6.7-nbxyz12

0.6.7-nbxyz11

0.6.7-nbxyz10

0.6.7-nbxyz9

0.6.7-nbxyz8

0.6.7-nbxyz7

0.6.7-nbxyz6

0.6.7-nbxyz5

0.6.7-nbxyz4

0.6.7-nbxyz3

0.6.7-nbxyz2

0.6.7-nbxyz1

0.6.6-nbxyz15

0.6.6-nbxyz14

0.6.6-nbxyz13

0.6.6-nbxyz12

0.6.6-nbxyz11

0.6.6-nbxyz10

0.6.6-nbxyz9

0.6.6-nbxyz8

0.6.6-nbxyz7

0.6.6-nbxyz6

0.6.6-nbxyz4

0.6.6-nbxyz3

0.6.6-nbxyz2

0.6.6-nbxyz5

0.6.5-nbxyz5

0.6.6-nbxyz1

0.6.5-nbxyz4

0.6.5-nbxyz3

0.6.5-nbxyz2

0.6.5-nbxyz1

0.6.4-nbxyz13

0.6.4-nbxyz12

0.6.4-nbxyz11

0.6.4-nbxyz10

0.6.4-nbxyz9

0.6.4-nbxyz8

0.6.4-nbxyz7

0.6.4-nbxyz6

0.6.4-nbxyz5

0.6.4-nbxyz4

0.6.4-nbxyz3

0.6.4-nbxyz2

0.6.4-nbxyz1

Labels

Clear labels   

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/docker-netbootxyz#33

No description provided.