search

Jip-Hop / jailmaker

Persistent Linux 'jails' on TrueNAS SCALE to install software (docker-compose, portainer, podman, etc.) with full access to all files via bind mounts thanks to systemd-nspawn!
GNU Lesser General Public License v3.0
313 stars 31 forks source link

Rootless podman installation process - podman failing #149

Closed Lockszmith-GH closed 3 weeks ago

Lockszmith-GH commented 1 month ago

Following the current rootless section in the podman readme when attempting to start the hello-world podman, I got the following error:

ERRO[0000] running /usr/bin/newuidmap 280 0 1000 1 1 65536 65536: newuidmap: write to uid_map failed: Operation not permitted

Some looking around, I ended up at this solution.

And indeed, running the following once inside th jail as root rpm --restore shadow-utils, resolved the issue, and I was able to run podman as the rootless user.

Also noticed that this can't be added to the initial_setup step, as I get the following error:

System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

So just modifying the README should be sufficient.

Jip-Hop commented 3 weeks ago

Please let me know if you were able to double check this. As mentioned in #150 I think it works as expected, so I'm inclined to close this issue to let other users know.

Lockszmith-GH commented 3 weeks ago

I ran through the instructions (without my addition) to the tee, this is what happens:

❯ jlmkr shell --uid 1000 rootless-podman
Connected to machine rootless-podman. Press ^] three times within 1s to exit session.
[rootless@rootless-podman ~]$ id
uid=1000(rootless) gid=1000(rootless) groups=1000(rootless)
[rootless@rootless-podman ~]$ podman run hello-world
ERRO[0000] running `/usr/bin/newuidmap 255 0 1000 1 1 65536 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": should have setuid or have filecaps setuid: exit status 1
[rootless@rootless-podman ~]$ podman info
ERRO[0000] running `/usr/bin/newuidmap 275 0 1000 1 1 65536 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": should have setuid or have filecaps setuid: exit status 1
[rootless@rootless-podman ~]$ exit
logout
Connection to machine rootless-podman terminated.

After running:

jlmkr shell rootless-podman
Connected to machine rootless-podman. Press ^] three times within 1s to exit session.
[root@rootless-podman ~]# rpm --restore shadow-utils
[root@rootless-podman ~]# exit
logout
Connection to machine rootless-podman terminated.

I can then shell in with --uid 1000 and run the podman commands successfully.

Jip-Hop commented 3 weeks ago

Should be fixed in https://github.com/Jip-Hop/jailmaker/releases/tag/v1.4.0. Let me know if it's not.