Sign in Subscribe
Insights

Enable podman containers to write to an exFAT‑formatted external disk on Fedora Silverblue 42

We can achieve this by defining a user/group ID and disabling SELinux labeling on containers, and then mounting the drive with relaxed permissions.

Ryan Sechrest

2 min read
Enable podman containers to write to an exFAT‑formatted external disk on Fedora Silverblue 42
A spin class without a bicycle.

Turns out, this one is a bit tricky, because files and directories are owned by a different user inside and outside of the container, SELinux is automatically blocking the bind mount, and exFAT does not support POSIX permissions.

Let's tackle each of those issues.

Specify podman container user

The easiest way to fix the file and directory ownership problem is to run your containers with the same user and group ID as your Fedora host.

Let's look up both IDs by typing id into terminal:

# id
uid=1000(ryse) gid=1000(ryse) groups=1000(ryse),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

We see here that the user (uid) and group (gid) ID are both 1000. When we run our container, we can specify that user and group ID.

Either provide the --user option with podman run:

podman run \
  --user 1000:1000 \
  docker.io/library/caddy:latest

Or set the user option in docker-compose.yml:

version: '3.5'

services:
  caddy:
    image: docker.io/library/caddy:latest
    user: 1000:1000

Any files or directories the container creates can now be read, modified, and deleted by the host and vice versa.

Turn off SELinux labeling

Due to our external disk using the exFAT file system (for Linux, Mac, and Windows compatibility), SELinux's labels don't work properly. The answer is to turn them off for our containers that need to use the external disk.

Either provide the --security-opt option with podman run:

podman run \
  --user 1000:1000 \
  --security-opt label=disable \
  docker.io/library/caddy:latest

Or set the security_opt option in docker-compose.yml:

version: '3.5'

services:
  caddy:
    image: docker.io/library/caddy:latest
    security_opt:
      - label:disable

By setting label to disable, SELinux will no longer stand in the way of the container writing to the external disk, which also means we don't need to add :z or :Z flags when defining volumes.

Mount external disk with options

Since exFAT doesn't support POSIX permissions, we need to be very liberal and simply permit anything to read/write from that disk.

Set the uid, gid, and umask options when mounting:

sudo mount \
  --types exfat \
  --options uid=1000,gid=1000,umask=000 \
  /dev/sda \
  /run/media/disk
💡
Be sure to replace /dev/sda and /run/media/disk with your device and mount point, respectively.

A umask of 000 gives read, write, and execute permission to everyone. I've tried to be more restrictive by setting file and directory permissions to 600/700, 644/755, and 664/775, but none of that worked.

Our containers should now be able to read and write from volumes that live on the external exFAT-formatted disk.

Featured image by Frank R.