I am moving from Docker to rootless podman and one thing that’s surprising to me is that podman can create files that my user is, seemingly, not allowed to even read, so I need root to backup them.
For example, this one created by the postgres service of immich:
-rw-------. 1 525286 525286 1.6K Oct 2 20:16 /var/home/railcar/immich/postgres/pg_stat_tmp/global.stat
Is this expected in general (not for immich in particular)? Is there a single solution to solve this of does it have to be built in the images? It really feels wrong that I can start a container that will create files I am not allowed to even read.
It seems like the only time I encounter this oddness is when some upstream docker image maintainer has done a weird with users (I once went 3 image levels up to figure out what happened).
Or if I borrow a dockerfile and don’t strip out the “nonroot” user hacks that got popularized years ago.