Podman: Mounting volumes with z to work around permission issues (#80)

* Mounting volumes in readOnly shared mode to work around permission issues

* Adding hack back

* Changing volume format

---------

Co-authored-by: Ole Martin Handeland <git@olemartin.org>

Author: olemartinorg

Makefile

@@ -21,7 +21,6 @@ podman-compose-start-localtest:
 .PHONY: podman-compose-stop-localtest
 podman-compose-stop-localtest:
 	podman-compose --file podman-compose.yml down
-		
 
 .PHONY: podman-selinux-bind-hack
 podman-selinux-bind-hack:

README.md

@@ -218,22 +218,6 @@ This would be required if your app requires a role which none of the test users
 
 ### Known issues
 
-#### Bind mounts folders gives permission denied. Nginx returns default page
-
-On some nix systems you might experience problems with the bind mounts used by the containers. If you get the default nginx page when trying to access local.altinn.cloud this might be the case.
-
-To verify this you can run the following command:
-
-```shell
-podman container exec -it localtest-loadbalancer cat /etc/nginx/templates/nginx.conf.conf
-```
-
-if you get a permission denied message this verifies that the bind mount is not working. A best effort fix for this is to run the following command:
-
-```shell
-make podman-selinux-bind-hack
-```
-
 #### Localtest reports that the app is not running even though it is
 
 If localtest and you app is running, but localtest reports that the app is not running, it might be that the port is not open in the firewall.

podman-compose.yml

@@ -25,15 +25,8 @@ services:
       - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx/
       - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.conf
     volumes:
-      - type: bind
-        source: ./loadbalancer/templates/
-        target: /etc/nginx/templates/
-        read_only: true
-      - type: bind
-        source: ./loadbalancer/www/
-        target: /www/
-        read_only: true
-
+      - ./loadbalancer/templates/:/etc/nginx/templates/:ro,z
+      - ./loadbalancer/www/:/www/:ro,z
 
   altinn_platform_pdf:
     container_name: altinn-pdf
@@ -44,6 +37,7 @@ services:
       - altinntestlocal_network
     ports:
      - "5070:5070"
+
   altinn_pdf_service:
     container_name: altinn-pdf-service
     image: browserless/chrome:1-puppeteer-19.2.2
@@ -69,14 +63,8 @@ services:
       - GeneralSettings__BaseUrl=http://${TEST_DOMAIN:-local.altinn.cloud}:${ALTINN3LOCAL_PORT:-8000}
       - GeneralSettings__HostName=${TEST_DOMAIN:-local.altinn.cloud}
     volumes:
-      - type: volume
-        source: AltinnPlatformLocal
-        target: /AltinnPlatformLocal/
-        read_only: false
-      - type: bind
-        source: ./testdata/
-        target: /testdata/
-        read_only: true
+      - ./testdata/:/testdata/:ro,z
+      - AltinnPlatformLocal:/AltinnPlatformLocal/:rw
 
 volumes:
   AltinnPlatformLocal: