Volume Options for Podman Compatibility

[jclds139]

Description

This is in a similar vein to #8660 and works towards resolving issues like #7940.

Basically, this is a tiny patch adding the minimal changes needed to run the image build using podman instead of docker. Since podman is often installed with a podman-docker shim to emulate the docker cli, the only changes needed are to use a rootful podman connection (needed for working with loop devices) and this patch to add exec and dev flags to volume mounts (since podman mounts volumes by default with nodev and sometimes noexec)

Documentation summary for feature / change

If documentation entry is predicted, please provide key elements for further implementation into main documentation and set label to "Needs Documentation". You are welcome to open a PR to documentation or you can leave following information for technical writer:

• short description (copy / paste of PR title)
• summary (description relevant for end users)
  • A short description that building with podman is possible, even if not officially supported
• example of usage (how to see this in function)
  • with podman-docker installed, run CONTAINER_HOST=unix:///run/podman/podman.sock ./compile.sh or CONTAINER_CONNECTION=root ./compile.sh if the rootful connection is already configured in podman

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also note any relevant details for your test configuration.

• Run build using standard docker
• Run build using podman-docker (emulating the docker cli using podman)
  • Does require adding connection configuration to run rootful podman containers, which can be acheived using $CONTAINER_HOST or $CONTAINER_CONNECTION environment variables depending on system setup

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings

Summary by CodeRabbit

• Bug Fixes
  • Improved container runtime detection to recognize Podman-compatible environments.
  • Adjusted volume mount handling so anonymous and named-volume mounts receive appropriate mount flags under Podman-like runtimes.
  • Preserves existing mount behavior for non-Podman runtimes, preventing regressions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds runtime detection to set a global DOCKER_IS_PODMAN flag when the docker binary is a Podman shim, and conditionally appends ,exec,dev to anonymous and named volume mount destinations when that flag is true.

Changes

Cohort / File(s)	Summary
Docker runtime detection & mount flagging lib/functions/host/docker.sh	Added global DOCKER_IS_PODMAN (declared -g and made readonly) by inspecting docker --version/runtime info. When set, anonymous and named volume mount destination paths are appended with ,exec,dev. No function signatures changed.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Script as Host script
  participant DockerBin as `docker` binary
  participant Runtime as Container runtime (Docker/Podman)

  rect rgb(240,248,255)
    Note over Script: Startup — detect docker runtime
    Script->>DockerBin: run `docker --version` / inspect info
    DockerBin-->>Script: version string / info
    alt Podman detected
      Script->>Script: set DOCKER_IS_PODMAN = true (readonly)
    else Not Podman
      Script->>Script: set DOCKER_IS_PODMAN = false (readonly)
    end
  end

  rect rgb(255,250,240)
    Note over Script,Runtime: Container creation — mount handling
    Script->>Runtime: create container with volume mounts
    alt DOCKER_IS_PODMAN == true
      Script->>Runtime: append ",exec,dev" to anonymous/named mount destinations
    else
      Script->>Runtime: use original mount destinations
    end
    Runtime-->>Script: container started
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify Podman detection robustness across version strings and shims.
• Inspect all mount-path assembly to ensure ,exec,dev is only applied to anonymous and named volumes.
• Test with Docker, Podman, and environments where docker --version returns unexpected output.

Poem

🐇 I sniff the binary, soft and keen,
If Podman whispers, I flip the green.
Mounts get a tweak — exec and dev in play,
Containers hop along their way. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Volume Options for Podman Compatibility' clearly and specifically describes the main change—adding volume mount options to support Podman compatibility, which aligns with the core functionality of conditionally appending exec/dev flags for Podman runtimes.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 79f8052 and ca73336.

📒 Files selected for processing (1)

• lib/functions/host/docker.sh (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• lib/functions/host/docker.sh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

lib/functions/host/docker.sh (1)

540-561: Architectural note: Loop device handling is invariant to runtime type.

The loop device mounts and security options (lines 540–561) do not vary based on DOCKER_IS_PODMAN. The PR summary mentions that rootful Podman may be required for operations involving loop devices. Verify that the existing loop device configuration is sufficient for Podman environments, or whether additional logic is needed to:

• Detect rootful vs rootless Podman
• Conditionally apply tighter device access for rootful Podman
• Conditionally skip certain hacks for rootless Podman

If the current approach works as-is, no changes are needed. If Podman requires conditional logic here, it should be addressed in a follow-up.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f252a17 and 0f2da05.

📒 Files selected for processing (1)

• lib/functions/host/docker.sh (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: tmshlvck
Repo: armbian/build PR: 8660
File: lib/functions/host/docker.sh:519-529
Timestamp: 2025-09-22T06:01:50.284Z
Learning: In the Armbian build framework's docker.sh, DOCKER_MOUNT_OPTS is conditionally set: empty for Docker, and ",suid,dev" for Podman to handle mount permission requirements.

Learnt from: tmshlvck
Repo: armbian/build PR: 8660
File: lib/functions/host/docker.sh:519-529
Timestamp: 2025-09-22T06:01:50.284Z
Learning: In the Armbian build framework's docker.sh, DOCKER_MOUNT_OPTS is conditionally set: empty for Docker, and ",suid,dev" for Podman to handle mount permission requirements.

📚 Learning: 2025-09-22T06:01:50.284Z

Learnt from: tmshlvck
Repo: armbian/build PR: 8660
File: lib/functions/host/docker.sh:519-529
Timestamp: 2025-09-22T06:01:50.284Z
Learning: In the Armbian build framework's docker.sh, DOCKER_MOUNT_OPTS is conditionally set: empty for Docker, and ",suid,dev" for Podman to handle mount permission requirements.

Applied to files:

• lib/functions/host/docker.sh

🧬 Code graph analysis (1)

lib/functions/host/docker.sh (1)

lib/functions/cli/cli-docker.sh (1)

• cli_docker_run (32-112)

🔇 Additional comments (2)

lib/functions/host/docker.sh (2)

514-514: Verify that exec,dev flags are sufficient for Podman volume compatibility.

The anonymous volume mount correctly applies the conditional flags. However, the prior learning from PR #8660 mentions ,suid,dev as the Podman mount options, whereas this implementation uses ,exec,dev.

Confirm that:

1. The exec flag (enables binary execution on volume) is necessary for Armbian builds.
2. The suid flag (allows setuid bit) is not required for your use cases.
3. These two flags alone support the loop device and device access requirements mentioned in the PR summary.

---

523-523: Consistent application of Podman volume flags to named volumes.

The named volume mount correctly mirrors the anonymous volume logic, applying ,exec,dev conditionally. The exclusion of these flags from bind mounts (line 519) is appropriate, as they apply only to Docker-managed volumes, not host paths.

The changes are minimal, focused, and consistent across volume types.

[tabrisnet]

I think that "Since podman is often installed with a podman-docker shim" needs to be more specific, such that if/when this gets documented it should say it only works with the shim. but then that raises a question or 3: should you try to detect the shim instead of trying to rule-out containerd and assuming the only alternative is podman.

[jclds139]

So, if we were to re-word that description to "when podman is installed as a replacement for docker, such as with podman-docker on Debian 12+ or Arch", then use the docker --version check to determine when the shim (or symlink) is in use, would this be acceptable enough? Or should we make sure to use one of the current markers in $DOCKER_INFO? It seems to me those are more likely to change over time depending on decisions made by the upstream podman devs.