Definition
podman allows you to enter another USER and MNT namespace without starting a container, to see what’s going on without going beyond the normal process (by the way, this is just a convenient add-on to the regular unshare command)
Preparation
Let’s check the behavior in another USER namespace:
# See UID mapping
podman unshare cat /proc/self/uid_map
# Will show nobody
podman unshare ls -ld /
# Checi the USER/MNT namespace booth on the host and in an isolated namespace
ls -l /proc/self/ns/user /proc/self/ns/mnt
podman unshare ls -l /proc/self/ns/user /proc/self/ns/mnt
Let’s check the behavior in another MNT namespace:
echo hello > /tmp/testfile
mount --bind /tmp/testfile /etc/shadow
mount: /etc/shadow: must be superuser to use mount.
podman unshare bash -c "mount -o bind /tmp/testfile /etc/shadow; cat /etc/shadow"
hello
Practice
Now let’s move on to viewing the contents of the image using podman mount
In general, the command for viewing looks like this: podman mount <URL/Image> (you can use the image name or path to it for podman pull)
However podman mount requires either elevated privileges or running in an isolated USER namespace, and here the podman unshare command comes to the rescue, which creates a dedicated USER and MNT namespace
In addition, you will need the podman image mount command, which mounts the FS from the image to the host FS and displays the full path to it on the host
Let’s try:
# Enter another namespace
podman unshare
# Write path to a variable
mnt=$(podman image mount <URL/image>)
# Now we can view image filesystem without running
ls $mnt/var/
cat $mnt/etc/shadow
# To exit
podman image unmount <URL/image>
exit