Calling CopyToContainer through the podman socket does not preserve UID/GID information #27332
Description
Issue Description
When using the Docker SDK to call the CopyToContainer API through the podman.sock, Podman is not preserving the UID and GID of the folders and files in the TAR archive even when passing the CopyUIDGID: true option. Every folder and file are being copied into the container as root:root.
Steps to reproduce the issue
Steps to reproduce the issue
- Clone test code -
https://github.com/dwaynebradley/docker-copytocontainer-example.git- The sample code calls
CopyToContainerAPI and passes theCopyUIDGID: truein theCopyToContainerOptions
- The sample code calls
- View contents of the tar file to see permissions that have been set on the example folder and file -
tar -tvf test-configs.tarconfigswill be owned by1001:1001configs/test-config-file.txtwill be owned by1002:1002
- Start Podman systemd service -
systemctl --user enable --now podman.service export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/podman/podman.sock- Run the test code to create the container that copies the contents of
test-configs.tarinto the container -go run main.go
Describe the results you received
- Exec into the container that was created by the sample code -
podman exec -ti copy-uidgid-test /bin/sh - Check ownership on the contents copied into the container
stat /configs- it will be owned byroot:rootstat /configs/test-config-file.txt- if will also be owned byroot:root
Describe the results you expected
I expected both the folder and file to have the same ownership as what is stored in the test-configs.tar file.
If I run this exact same code using Docker instead, the ownership on both the file and folder are retained inside of the container correctly.
podman info output
host:
arch: amd64
buildahVersion: 1.41.5
cgroupControllers:
- cpuset
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-1:2.1.13-1
path: /usr/bin/conmon
version: 'conmon version 2.1.13, commit: 82de887596ed8ee6d9b2ee85e4f167f307bb569b'
cpuUtilization:
idlePercent: 99.07
systemPercent: 0.46
userPercent: 0.47
cpus: 16
databaseBackend: sqlite
distribution:
distribution: arch
version: unknown
emulatedArchitectures:
- linux/arm
- linux/arm64
- linux/loong64
- linux/mips64
- linux/ppc
- linux/ppc64
- linux/ppc64le
- linux/riscv32
- linux/riscv64
- linux/s390x
eventLogger: journald
freeLocks: 2039
hostname: USRA1WHP6192208
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 6.6.87.2-microsoft-standard-WSL2
linkmode: dynamic
logDriver: journald
memFree: 14528659456
memTotal: 25199562752
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.16.0-1
path: /usr/lib/podman/aardvark-dns
version: aardvark-dns 1.16.0
package: netavark-1.16.1-1
path: /usr/lib/podman/netavark
version: netavark 1.16.1
ociRuntime:
name: crun
package: crun-1.24-1
path: /usr/bin/crun
version: |-
crun version 1.24
commit: 54693209039e5e04cbe3c8b1cd5fe2301219f0a1
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
pasta:
executable: /usr/sbin/pasta
package: passt-2025_09_19.623dbf6-1
version: |
pasta 2025_09_19.623dbf6
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SET
rootless: true
seccompEnabled: true
seccompProfilePath: /etc/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 6442450944
swapTotal: 6442450944
uptime: 79h 49m 42.00s (Approximately 3.29 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /home/dwayne/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 1
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/dwayne/.local/share/containers/storage
graphRootAllocated: 1081101176832
graphRootUsed: 17560457216
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 4
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/dwayne/.local/share/containers/storage/volumes
version:
APIVersion: 5.6.2
Built: 1759398423
BuiltTime: Thu Oct 2 05:47:03 2025
GitCommit: 9dd5e1ed33830612bc200d7a13db00af6ab865a4
GoVersion: go1.25.1 X:nodwarf5
Os: linux
OsArch: linux/amd64
Version: 5.6.2Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
For the "Privileged or Rootless" question...I have tried it both ways with Podman so I just left the default option of "None" selected