I am using the elasticsearch 8.16.1 image, and get permissions error "java.nio.file.AccessDeniedException: /usr/share/elasticsearch/data" when I try to run it rootless with the command below with the mapped host volume /var/es-data permissions set to 750 and ownership set to UID 1000 which is what elastic+ is in the container. I've also tried different UID for the mapped UID when running rootless podman. I can get it to work rootless with permissions to 777 which I think is too permissive and masking the real issue for what UID to use for ownership on the host volume. I don't know if within the container the UID is changed based upon different processes from the default UID 1000 for elastic+ user.
Why do I need rootless? The elasticsearch container is called from another rootless container on the same host using a podman custom bridge network so my understanding is both containers need to run rootless because the custom bridge network was created rootless due to the security requirements of the container calling the Elasticsearch container.
I haven't found many good resources to run the elasticsearch container as rootless podman, and not sure if it's supported. Or maybe it's an issue with the specific image I am using?
Podman and in particular rootless is new to me so any insight is appreciated.
podman run -d \
--name elasticsearch \
--network internal-net
-e discovery.type=single-node \
-e xpack.security.enabled=false \
-e path.repo="/usr/share/elasticsearch/snapshots" \
-v /var/es-data:/usr/share/elasticsearch/data:Z \
-v /var/es-snapshots:/usr/share/elasticsearch/snapshots:Z \
docker.io/library/elasticsearch:8.16.1