This is a short note that serves as a self-reminder on how podman can automatically change the ownership of a source volume to match the default UID and GID within the container.

TL;DR: Use the :U suffix on the volume definition.

The following is an example of the issue I had and how to apply the fix.

First, let’s list the current ownership of the directory to be used as the source volume for the container.

$ ls -ld /var/lib/podman/containervols/opencloud/
drwxrwxr-x 3 podman podman 4096 Dec 14 07:41 /var/lib/podman/containervols/opencloud/

The podman user is the user that the rootless container will be run under. Without the proper volume option, the container fails to start due to permission errors.

$ podman run --rm -it \
-v /var/lib/podman/containervols/opencloud/config:/etc/opencloud:z \
-v /srv/opencloud/data:/var/lib/opencloud:z \
-e IDM_ADMIN_PASSWORD=very-random-password \
docker.io/opencloudeu/opencloud:4 init
Do you want to configure OpenCloud with certificate checking disabled?
 This is not recommended for public instances! [yes | no = default]
2025/12/14 07:56:21 Could not create config: open /etc/opencloud/opencloud.yaml: permission denied

Now, let’s add the :U suffix to the volume configuration:

$ podman run --rm -it \
-v /var/lib/podman/containervols/opencloud/config:/etc/opencloud:z,U \
-v /srv/openman/data:/var/lib/opencloud:z,U \
-e IDM_ADMIN_PASSWORD=very-random-password \
docker.io/opencloudeu/opencloud:4 init
Do you want to configure OpenCloud with certificate checking disabled?
 This is not recommended for public instances! [yes | no = default]

=========================================
 generated OpenCloud Config
=========================================
 configpath : /etc/opencloud/opencloud.yaml
 user       : admin
 password   : very-random-password

That fixed it. Here’s the new ownership of the source volume directory, which now matches the container’s internal user:

$ ls -ld /var/lib/podman/containervols/opencloud/
drwxrwxr-x 3 100998 100998 4096 Dec 14 07:41 /var/lib/podman/containervols/opencloud/

Additional Notes

  • The %h sequence is the systemd syntax for the user’s home directory ($HOME).
  • The :U option tells podman to chown the source volume to match the default UID/GID used within the container.
  • For SELinux systems, :z sets a shared content label, while :Z sets a private, unshared label that only the current container can use.

Thanks to this [blog post][1], which has saved me a lot of time by explaining the required :U flag.

References

[1]:Guide: Getting started with Podman Quadlets