Cannot start integration test container using Podman (rootless) and bind mounts

[gtache]

Describe the bug

Hello,
when enabling integration testing together with quarkus.container-image.build=true, the quarkus-container-image-podman dependency and a mount like quarkus.test.container.volume-mounts."/path/to/quarkus-podman-issue/io/github/gtache/key-store.p12"=/deployments/key-store.p12, integration testing fails when starting the container with the message (in target/quarkus.log):
{"msg":"exec container process `/opt/jboss/container/java/run/run-java.sh`: Permission denied","level":"error","time":"2025-07-25T08:02:18.425431Z"}

(On my actual project I get {"msg":"exec container process `/usr/local/s2i/run`: Permission denied","level":"error","time":"2025-07-24T16:05:53.247336Z"}, but the problem is the same)

The command used by Quarkus to run the container is

podman run --name quarkus-integration-test-uWlxL -i --rm --user 2803:110 --userns=keep-id -p 47663:47663 -p 46835:46835 -v /path/to/quarkus-podman-issue/src/test/resources/io/github/gtache/key-store.p12:/deployments/key-store.p12:z --net=quarkus-integration-test-DEvAX --env QUARKUS_LOG_CATEGORY__IO_QUARKUS__LEVEL=INFO --env QUARKUS_HTTP_PORT=47663 --env QUARKUS_HTTP_SSL_PORT=46835 --env TEST_URL=http://localhost:0 --env QUARKUS_PROFILE=prod --env QUARKUS_TLS_KEY_STORE_P12_PASSWORD=keystore tga/quarkus-podman-issue:1.0.0-SNAPSHOT

If we remove the mount and re-run mvn clean verify, the command is

podman run --name quarkus-integration-test-uWlxL -i --rm -p 47663:47663 -p 46835:46835 --net=quarkus-integration-test-DEvAX --env QUARKUS_LOG_CATEGORY__IO_QUARKUS__LEVEL=INFO --env QUARKUS_HTTP_PORT=47663 --env QUARKUS_HTTP_SSL_PORT=46835 --env TEST_URL=http://localhost:0 --env QUARKUS_PROFILE=prod --env QUARKUS_TLS_KEY_STORE_P12_PASSWORD=keystore tga/quarkus-podman-issue:1.0.0-SNAPSHOT

but obviously this fails due to Caused by: java.nio.file.NoSuchFileException: /deployments/key-store.p12

Running the same command as the first manually but without the user and userns args (and the net too because it doesn't exist in this case) works:

podman run --name quarkus-integration-test-uWlxL -i --rm -p 47663:47663 -p 46835:46835 -v /path/to/quarkus-podman-issue/src/test/resources/io/github/gtache/key-store.p12:/deployments/key-store.p12:z --env QUARKUS_LOG_CATEGORY__IO_QUARKUS__LEVEL=INFO --env QUARKUS_HTTP_PORT=47663 --env QUARKUS_HTTP_SSL_PORT=46835 --env TEST_URL=http://localhost:0 --env QUARKUS_PROFILE=prod --env QUARKUS_TLS_KEY_STORE_P12_PASSWORD=keystore tga/quarkus-podman-issue:1.0.0-SNAPSHOT

INFO exec -a "java" java -XX:MaxRAMPercentage=80.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+ExitOnOutOfMemoryError -Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager -cp "." -jar /deployments/quarkus-run.jar 
INFO running in /deployments
__  ____  __  _____   ___  __ ____  ______ 
 --/ __ \/ / / / _ | / _ \/ //_/ / / / __/ 
 -/ /_/ / /_/ / __ |/ , _/ ,< / /_/ /\ \   
--\___\_\____/_/ |_/_/|_/_/|_|\____/___/   
2025-07-25 08:15:10,876 INFO  [io.quarkus] (main) quarkus-podman-issue 1.0.0-SNAPSHOT on JVM (powered by Quarkus 3.25.0) started in 1.089s. Listening on: https://0.0.0.0:46835
2025-07-25 08:15:10,878 INFO  [io.quarkus] (main) Profile prod activated. 
2025-07-25 08:15:10,879 INFO  [io.quarkus] (main) Installed features: [cdi, rest, smallrye-context-propagation, vertx]
2025-07-25 08:15:14,282 INFO  [io.quarkus] (main) quarkus-podman-issue stopped in 0.076s

So the issue is with these arguments. The user in the container can't access the script to run Quarkus.
I don't think I'm doing anything wrong (please tell me if that's the case), so we may need a way to configure more precisely the flags/args when running the container, or these arguments should not always be set.

Thanks for your time!

Expected behavior

The integration test runs successfully (same result as the integration test with a jar / quarkus.container-image.build=false and as the unit test).

Actual behavior

The integration test fails because the container doesn't start.

How to Reproduce?

Run the linked project with mvn clean verify (or mvnw)
quarkus-podman-issue.zip

Output of uname -a or ver

Linux lxdev1 5.14.0-162.23.1.el9_1.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Mar 23 20:08:28 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux

Output of java -version

openjdk version "21.0.1" 2023-10-17 OpenJDK Runtime Environment (build 21.0.1+12-29) OpenJDK 64-Bit Server VM (build 21.0.1+12-29, mixed mode, sharing)

Quarkus version or git rev

3.25.0

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937) Maven home: /opt/apps/pkgs/maven Java version: 21.0.1, vendor: Oracle Corporation, runtime: /usr/lib/jvm/jdk-21.0.1 Default locale: fr_CH, platform encoding: UTF-8 OS name: "linux", version: "5.14.0-162.23.1.el9_1.x86_64", arch: "amd64", family: "unix"

Additional information

No response

[geoand]

Thanks for reporting.

Does the issue go away if you update the permissions on the host?

[gtache]

No, even if the mounted file is readable by everyone, the issue persists.

[geoand]

Thanks for checking

[ReveredMachine]

Hello,

I faced the same issue and checked the code to find a workaround in order to not use the current host user.

Using the quarkus configuration quarkus.test.arg-line instead of quarkus.test.container.volume-mounts."/path" for adding a volume mount was working in my case.

Example when using maven: mvn verify -Dquarkus.test.arg-line="-v /host_path:/container_path"

As an idea there could be a switch whether to use the current host user or not in the DefaultDockerContainerLauncher when running the container during integration tests.

[geoand]

Thanks for the update @ReveredMachine! Feel free to open a Draft PR that implements your suggestion