chore(podman): add warning about subordinate ids

docker compositions/syncthing/docker-compose.osx.yml

@@ -1,6 +1,5 @@
 ---
 # Refer https://github.com/syncthing/syncthing/blob/main/README-Docker.md
-version: "3"
 services:
   syncthing:
     image: syncthing/syncthing:2.0.12
@@ -11,8 +10,9 @@ services:
       - PGID=20
       - STGUIADDRESS=0.0.0.0:8384
     volumes:
-      - config:/var/syncthing/config:z
+      - ${PWD}/config:/var/syncthing/config:z
       - ${PWD}/data:/var/syncthing/data
+      # - ${HOME}/media:/var/syncthing/media
     ports:
       # No way to use 'host' mode  in OS X
       - 127.0.0.1:8384:8384/tcp   # Web UI
@@ -25,5 +25,3 @@ services:
       interval: 1m
       timeout: 10s
       retries: 3
-volumes:
-  config:

docker compositions/syncthing/docker-compose.podman.yml

@@ -0,0 +1,22 @@
+---
+# Refer https://github.com/syncthing/syncthing/blob/main/README-Docker.md
+services:
+  syncthing:
+    image: syncthing/syncthing:2.0.12
+    container_name: syncthing
+    hostname: ${HOSTNAME}
+    environment:
+      - PUID=0  # due to podman's rootless uid mapping
+      - PGID=0  # due to podman's rootless gid mapping
+      - STGUIADDRESS=0.0.0.0:8384
+    volumes:
+      - ${PWD}/config:/var/syncthing/config:z
+      - ${PWD}/data:/var/syncthing/data
+      # - ${HOME}/media:/var/syncthing/media
+    network_mode: host
+    restart: unless-stopped
+    healthcheck:
+      test: curl -fkLsS -m 2 127.0.0.1:8384/rest/noauth/health | grep -o --color=never OK || exit 1
+      interval: 1m
+      timeout: 10s
+      retries: 3

docker compositions/syncthing/docker-compose.yml

@@ -1,6 +1,5 @@
 ---
 # Refer https://github.com/syncthing/syncthing/blob/main/README-Docker.md
-version: "3"
 services:
   syncthing:
     image: syncthing/syncthing:2.0.12
@@ -11,8 +10,9 @@ services:
       - PGID=${GID-1000}  # use 0 with podman
       - STGUIADDRESS=0.0.0.0:8384
     volumes:
-      - config:/var/syncthing/config:z
+      - ${PWD}/config:/var/syncthing/config:z
       - ${PWD}/data:/var/syncthing/data
+      - ${HOME}/Media:/var/syncthing/media
     network_mode: host
     restart: unless-stopped
     healthcheck:
@@ -20,5 +20,3 @@ services:
       interval: 1m
       timeout: 10s
       retries: 3
-volumes:
-  config:

knowledge base/linux/subordinate ids.md

@@ -0,0 +1,62 @@
+# Subordinate IDs
+
+> TODO
+
+Intro
+
+<!-- Remove this line to uncomment if used
+## Table of contents <!-- omit in toc -->
+
+1. [TL;DR](#tldr)
+1. [Further readings](#further-readings)
+   1. [Sources](#sources)
+
+## TL;DR
+
+<!-- Uncomment if used
+<details>
+  <summary>Setup</summary>
+
+```sh
+```
+
+</details>
+-->
+
+<!-- Uncomment if used
+<details>
+  <summary>Usage</summary>
+
+```sh
+```
+
+</details>
+-->
+
+<!-- Uncomment if used
+<details>
+  <summary>Real world use cases</summary>
+
+```sh
+```
+
+</details>
+-->
+
+## Further readings
+
+### Sources
+
+- [What Is the /etc/subuid File?]
+
+<!--
+  Reference
+  ═╬═Time══
+  -->
+
+<!-- In-article sections -->
+<!-- Knowledge base -->
+<!-- Files -->
+<!-- Upstream -->
+<!-- Others -->
+[What Is the /etc/subuid File?]: https://www.baeldung.com/linux/etc-subuid

knowledge base/podman.md

@@ -9,6 +9,12 @@ Intended to be a drop-in replacement for [Docker].
 
 ## TL;DR
 
+> [!important]
+> Podman in rootless mode (the default) leverages [subordinate user and group IDs][subordinate ids] to map containers'
+> UID and GID to much higher numbers and avoid conflicts.<br/>
+> This means the IDs used _inside_ containers will **not** be the same as the ones of the user running them, and it
+> will probably raise permissions issues when trying to write or read from volumes.
+
 <details>
   <summary>Setup</summary>
 
@@ -93,10 +99,12 @@ podman system prune --all
 - [Containerd]
 - [Kaniko]
 - [Volumes and rootless Podman]
+- [Subordinate IDs]
 
 ### Sources
 
 - [Pull Official Images From Docker Hub Using Podman]
+- [User IDs and (rootless) containers with Podman]
 
 <!--
   Reference
@@ -104,9 +112,10 @@ podman system prune --all
   -->
 
 <!-- Knowledge base -->
-[containerd]: containerd.md
-[docker]: docker.md
-[kaniko]: kaniko.md
+[Containerd]: containerd.md
+[Docker]: docker.md
+[Kaniko]: kaniko.md
+[Subordinate IDs]: linux/subordinate%20ids.md
 
 <!-- Upstream -->
 [Documentation]: https://docs.podman.io/en/stable/
@@ -114,4 +123,5 @@ podman system prune --all
 
 <!-- Others -->
 [Pull Official Images From Docker Hub Using Podman]: https://www.baeldung.com/ops/podman-pull-image-docker-hub
+[User IDs and (rootless) containers with Podman]: https://blog.christophersmart.com/2021/01/26/user-ids-and-rootless-containers-with-podman/
 [Volumes and rootless Podman]: https://blog.christophersmart.com/2021/01/31/volumes-and-rootless-podman/