I am running a Prefect Cloud-based Podman system for running workflows with where users interact with an online data source API, as well as reading and writing to local storage systems with ACLs (multiple subdirectories with different ownership). Locally, I have been able to run containers that can read and write from/to the storage systems by running commands, like:

podman run -v /top/dir1:/top/dir1 --userns keep-it:uid=<uid1>,gid=<gid1> <image>

, where service user

<uid1>:<gid1>

only has access to

/top/dir1

. However, when trying to implement having separate users in Prefect, there are no options with docker-py or Prefect for propagating the userns option to podman (as no options like these exist for docker). I had been using work-pool job_variables to attempt to pass these when running a container, but these workflows all end up running as root. What are my best options for hosting multiple Prefect workers on a single host, each capable of writing to a storage system that has multiple subdomains that can be accessed by a separate user/group? (The images to be run are different, but that is easily solved by deploying with different images - control of the user running the container is the main difficulty I am having.)

@Jun Aishima feel free to add a comment/+1 to this GitHub discussion for Podman support in Prefect: https://github.com/PrefectHQ/prefect/discussions/15836

thank you for the two suggestions! I also saw that there was an issue just opened on docker-py to enable userns options as well - https://github.com/docker/docker-py/issues/3351 I am currently also trying to enable extended userns_mode options by poking at the docker-py library (new argument also passed in via

contrainer_create_kwargs

), but will also try the suggestion for

user

as well.