error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount `/proc` to `/proc`: Operation not permitted

[sachinkaushik]

Hi Team,

I have created a running rootless openshift container using a Dockerfile. I followed below link for creating Rootless Podman without the privileged flag. I'm able to build java spring application but when I try to build python application using Dockerfile that has pip install then I'm getting below error. Can you please let us know what else config required to resolve below error?

https://www.redhat.com/sysadmin/podman-inside-kubernetes

error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount /proc to /proc: Operation not permitted

1. • If there is a "pip install" command in a Dockerfile, then Podman build fails with error " mount /proc to /proc: Operation not permitted"
2. • Podman build creates docker image, if Dockerfile does not have "pip install" command

podman --version :: podman version 3.2.2

podman info ::

host: arch: amd64 buildahVersion: 1.21.0 cgroupControllers: [] cgroupManager: cgroupfs cgroupVersion: v1 conmon: package: conmon-2.0.27-2.fc34.x86_64 path: /usr/bin/conmon version: 'conmon version 2.0.27, commit: ' cpus: 12 distribution: distribution: fedora version: "34" eventLogger: file hostname: cliservice-7dff79cbd7-n7krd idMappings: gidmap:

• container_id: 0 host_id: 1000 size: 1
• container_id: 1 host_id: 10000 size: 5000 uidmap:
• container_id: 0 host_id: 1000 size: 1
• container_id: 1 host_id: 10000 size: 5000 kernel: 4.18.0-240.22.1.el8_3.x86_64 linkmode: dynamic memFree: 55972347904 memTotal: 67230187520 ociRuntime: name: crun package: crun-0.20.1-1.fc34.x86_64 path: /usr/bin/crun version: |- crun version 0.20.1 commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL os: linux remoteSocket: path: /tmp/podman-run-1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.1.9-1.fc34.x86_64 version: |- slirp4netns version 1.1.8+dev commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876 libslirp: 4.4.0 SLIRP_CONFIG_VERSION_MAX: 3 libseccomp: 2.5.0 swapFree: 0 swapTotal: 0 uptime: 21h 24m 42.97s (Approximately 0.88 days) registries: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com: Blocked: false Insecure: true Location: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com MirrorByDigestOnly: false Mirrors: [] Prefix: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com quay.io: Blocked: false Insecure: true Location: quay.io MirrorByDigestOnly: false Mirrors: [] Prefix: quay.io search:
  • registry.fedoraproject.org
  • registry.access.redhat.com
  • registry.centos.org
  • docker.io
  • quay.io store: configFile: /home/podman/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: fuse-overlayfs-1.5.0-1.fc34.x86_64 Version: |- fusermount3 version: 3.10.4 fuse-overlayfs: version 1.5 FUSE library version 3.10.4 using FUSE kernel interface version 7.31 graphRoot: /home/podman/.local/share/containers/storage graphStatus: Backing Filesystem: overlayfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "false" imageStore: number: 5 runRoot: /tmp/podman-run-1000/containers volumePath: /home/podman/.local/share/containers/storage/volumes version: APIVersion: 3.2.2 Built: 1624664959 BuiltTime: Fri Jun 25 23:49:19 2021 GitCommit: "" GoVersion: go1.16.4 OsArch: linux/amd64 Version: 3.2.2

------------------------------------------------------Dockerfile- Start-------------------------------------------

FROM quay.io/podman/stable:latest

RUN touch /etc/subgid /etc/subuid \ && chmod g=u /etc/subgid /etc/subuid /etc/passwd \ && echo podman:10000:5000 > /etc/subuid \ && echo podman:10000:5000 > /etc/subgid

RUN yum install -y \ python3-pip \ python3 python3-wheel \ git \ java-11-openjdk.x86_64

RUN pip install jupyterlab

ARG MAVEN_VERSION=3.8.1 ARG BASE_URL=https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries

RUN mkdir -p /usr/share/maven /usr/share/maven/ref \ && curl -fsSL -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \ && tar -xzf /tmp/apache-maven.tar.gz -C /usr/share/maven --strip-components=1 \ && rm -f /tmp/apache-maven.tar.gz \ && ln -s /usr/share/maven/bin/mvn /usr/bin/mvn \ && yum install wget -y \ && yum install unzip -y \ && wget -q https://services.gradle.org/distributions/gradle-3.3-bin.zip \ && unzip gradle-3.3-bin.zip -d /opt \ && rm gradle-3.3-bin.zip

ENV JAVA_HOME /usr/lib/jvm/jre-11-openjdk/ ENV MAVEN_HOME /usr/share/maven ENV GRADLE_HOME /opt/gradle-3.3 ENV PATH $PATH:/opt/gradle-3.3/bin

COPY registries.conf /etc/containers/ COPY login-script.sh /etc/containers/ RUN chmod -R 777 /etc/containers/login-script.sh USER podman

WORKDIR /data

ENTRYPOINT ["/etc/containers/login-script.sh"]

-------------------------------------------Dockerfile End-------------------------------------------

[sachinkaushik]

Hi Team,

Any update on this...?

[baude]

@rhatdan @umohnani8 ptal

[flouthoc]

Hi @sachinkaushik is this rootless container being invoked from another rootless/non-root container ? Could you try adding this to your podman command --security-opt seccomp=unconfined --cap-add all ?

[flouthoc]

also afaik parent container has to be privileged and must mount parts of /proc with relevant uid,gid for nested rootless container to be able to perform mount on procfs i am not sure about it though. @sachinkaushik Could you please try with privileged: true if above suggested methods don't work.

[sachinkaushik]

HI @flouthoc ,

Thank you for response..!!!

We have created a Container Image using below Dockerfile by docker build -t . command. And now this container image we are running as rootless(we have podman User in dockerfile) container in Openshift.

This is a rootless container running in openshift. Now if we try to build python application Dockerfile that is having pip install command then only we are getting error mentioned in issue subject.

Using below Dockerfile we have created Container Image and same we have deployed in Openshift and that is running as rootless container and inside this we are trying build python application.

------------------------------------Dockerfile start------------------------------------------------------

FROM quay.io/podman/stable:latest

RUN touch /etc/subgid /etc/subuid \ && chmod g=u /etc/subgid /etc/subuid /etc/passwd \ && echo podman:10000:5000 > /etc/subuid \ && echo podman:10000:5000 > /etc/subgid

RUN yum install -y \ python3-pip \ python3 python3-wheel

RUN pip install jupyterlab

ENV PATH $PATH:/opt/gradle-3.3/bin

COPY registries.conf /etc/containers/ COPY login-script.sh /etc/containers/ RUN chmod -R 777 /etc/containers/login-script.sh USER podman

WORKDIR /data

ENTRYPOINT ["/etc/containers/login-script.sh"]

----------------------------------------------Dockerfile end------------------------------------------------------

Note : We have to give less privileged to User.

[flouthoc]

@sachinkaushik oh its fine if you don't want to try privileged: true but could you try this: podman build --security-opt seccomp=unconfined --cap-add all -t <image-name> . and tell me the output ?

[sachinkaushik]

Hi @flouthoc ,

I just try it and getitng same error.

podman build --security-opt seccomp=unconfined --cap-add all -t python-image .

STEP 5: RUN pip install -r requirements.txt error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount /proc to /proc: Operation not permitted

I followed Rootless Podman without the privileged flag article.

https://www.redhat.com/sysadmin/podman-inside-kubernetes

[flouthoc]

@sachinkaushik and just for a try what happens when you set privileged: true on the pod config ?

[sachinkaushik]

@flouthoc We have created s SCC and in that we have allowPrivilegedContainer: false . Do you want us to set value of allowPrivilegedContainer as true ?

[sachinkaushik]

@flouthoc We tried setting up value of allowPrivilegedContainer as true. But still no luck.

STEP 5: RUN pip install -r requirements.txt error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount /proc to /proc: Operation not permitted

[sachinkaushik]

HI @rhatdan , @flouthoc ,

Any update on this?

[flouthoc]

@sachinkaushik I was not able to spend time on this yesterday will probably re-create this on my end and will try a few things. btw when you tried allowPrivilegedContainer: true did you update your defined SCC as well ?

[sachinkaushik]

Hi @flouthoc ,

Yes we updated.

We are using Service Account and that SA is bind with Role. And that role is having a below SCC.

------------------------------------------------------------SCC Start------------------------------------- allowHostPorts: false priority: 10 requiredDropCapabilities:

• MKNOD
• KILL
• DAC_OVERRIDE
• NET_RAW
• SETPCAP
• SETFCAP
• FSETID
• SYS_CHROOT allowPrivilegedContainer: true runAsUser: type: RunAsAny users: [] allowHostDirVolumePlugin: true allowHostIPC: false seLinuxContext: type: MustRunAs readOnlyRootFilesystem: false metadata: annotations: include.release.openshift.io/self-managed-high-availability: 'true' creationTimestamp: '2021-05-31T05:35:10Z' generation: 4
  name: intel-devcloud-privileged-scc fsGroup: type: MustRunAs groups:
• 'system:cluster-admins' kind: SecurityContextConstraints defaultAddCapabilities: null supplementalGroups: type: RunAsAny volumes:
• awsElasticBlockStore
• azureDisk
• azureFile
• cephFS
• cinder
• configMap
• csi
• downwardAPI
• emptyDir
• ephemeral
• fc
• flexVolume
• flocker
• gcePersistentDisk
• gitRepo
• glusterfs
• hostPath
• iscsi
• nfs
• persistentVolumeClaim
• photonPersistentDisk
• portworxVolume
• projected
• quobyte
• rbd
• scaleIO
• secret
• storageOS
• vsphere allowHostPID: false allowHostNetwork: false allowPrivilegeEscalation: true apiVersion: security.openshift.io/v1 allowedCapabilities: null ---------------------------------------------------SCC End--------------------------------------------------------------

[rhatdan]

The issue is the outer container has setup /proc with certain read/only mounts and mounted over parts of /proc, When running podman container inside it tries to modify /proc mount and the kernel does not allow this. So you can either do an --unmask=/proc/* or --unmask=all on the outside container. or volume mount -v /proc:/proc on the inside container. (I believe).

@giuseppe WDYT?

[sachinkaushik]

HI @rhatdan / @flouthoc ,

I tried above things but still no luck...

error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount /proc to /proc: Operation not permitted

I think there is problem with crun, it doesn't have permission to mount proc.

We have below dockerfile and trying to build container image of it. But step 5 <RUN pip install -r requirements.txt> gives error.

-----------------------Docker file--------------------

FROM python:3-alpine MAINTAINER Sachin Sharma WORKDIR /service COPY requirements.txt . RUN pip install -r requirements.txt COPY . ./ EXPOSE 8080 ENTRYPOINT ["python3", "app.py",]

[flouthoc]

@sachinkaushik I tried recreating your use-case podman build -t img-python . with one of your repos https://github.com/sachinkaushik/hello-world-python.git inside a rootful privileged podman container started using sudo podman run --privileged quay.io/podman/stable sleep 100000000 but everything worked completely fine for me. Sharing the complete output of build inside a container https://paste.ubuntu.com/p/c4Mh99dScd/

I did this by-the-way.

• Start a privileged container using sudo podman run --privileged quay.io/podman/stable sleep 100000000
• Exec into container sudo podman exec -it <name> bash
• Install git sudo dnf install git-all
• Clone the repo git clone https://github.com/sachinkaushik/hello-world-python.git
• Build image podman build -t img-python .

---

Podman version: 3.3.0-dev Crun version: 0.20.1.17-0b0b

[flouthoc]

Same case for rootless privileged container started using podman run --privileged quay.io/podman/stable sleep 100000000. I am unable to reproduce this case everything is working just fine for me.

Steps i did

• Start a privileged container using podman run --privileged quay.io/podman/stable sleep 100000000
• Exec into container podman exec -it <name> bash
• Install git sudo dnf install git-all
• Clone the repo git clone https://github.com/sachinkaushik/hello-world-python.git

• Build image podman build -t img-python .

  ---

  Podman version: 3.3.0-dev Crun version: 0.20.1.17-0b0b

[sachinkaushik]

HI @flouthoc / @rhatdan ,

This is working as rootful container our end also. But when Im running as rootless container then getting below error. This is new error now. We have priviledge true as well in Pod YAML file. Please help me here what else config I'm missing to add.

securityContext: privileged: true

Error :

STEP 5: RUN pip install -r requirements.txt error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: newgidmap: gid range [0-4294967295) -> [0-4294967295) not allowed writing file /proc/248/gid_map: Invalid argument

Im creating container using below docker file.

---

FROM quay.io/podman/stable:latest

RUN yum install -y \ python3-pip \ python3 python3-wheel \ git \ java-11-openjdk.x86_64

RUN pip install jupyterlab

USER podman

WORKDIR /data

ENTRYPOINT ["jupyter", "lab", "--port=8888", "--no-browser", "--ip=0.0.0.0", "--allow-root"]

---

Working with root User.

[umohnani8]

@sachinkaushik have you tried the build with the --isolation=chroot flag as the article says? That should fix the permisison denied you are getting for mounting /proc. The chroot isolation helps bypass some of the things that the kernel denies mounting in the default isolation setting. So far builds in a rootless unprivileged container only works with --isolation=chroot.

Another option would be to run your pod in a user namespace using the cri-o runtime class method. The steps for doing this is in the article as well.

Article: https://www.redhat.com/sysadmin/podman-inside-kubernetes

[sachinkaushik]

@umohnani8 Now im not getting proc mount error. Now there is below error when I'm running as rootless container. I have added subuid and subguid in dockerfile as well, as mentioned in article.

error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: newgidmap: gid range [0-4294967295) -> [0-4294967295) not allowed writing file /proc/234/gid_map: Invalid argument : exit status 1

And if try with--isolation=chroot flag, using below command getting another error.

podman build --isolation chroot -t demo

STEP 5: RUN pip install -r requirements.txt error setting capabilities for process: error reading capabilities of current process: open /proc/self/status: permission denied subprocess exited with status 1

Dockerfile :

FROM quay.io/podman/stable:latest

RUN echo umohnani:100000:65536 > /etc/subuid; \ echo containers:200000:268435456 > /etc/subuid; \ echo umohnani:100000:65536 > /etc/subgid; \ echo containers:200000:268435456 > /etc/subgid;

RUN yum install -y \ python3-pip \ python3 python3-wheel \ git \ java-11-openjdk.x86_64

RUN pip install jupyterlab

COPY login-script.sh /etc/containers/ RUN chmod -R 777 /etc/containers/login-script.sh

USER podman

WORKDIR /data

ENTRYPOINT ["jupyter", "lab", "--port=8888", "--no-browser", "--ip=0.0.0.0", "--allow-root"]

jupyter lab --port=8888 --no-browser --ip=0.0.0.0 --allow-root

---

[flouthoc]

@sachinkaushik Could you please remove the lines from you Containerfile/Dockerfile

RUN echo umohnani:100000:65536 > /etc/subuid;
echo containers:200000:268435456 > /etc/subuid;
echo umohnani:100000:65536 > /etc/subgid;
echo containers:200000:268435456 > /etc/subgid; 

and try

[sachinkaushik]

@flouthoc first I tried without above lines from dockerfile for rootless container. I was getting below error. Then I tried with above lines but still there was same error.

error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: newgidmap: gid range [0-4294967295) -> [0-4294967295) not allowed writing file /proc/234/gid_map: Invalid argument

[flouthoc]

Could you please share idmappings of your podman, you can get that by podman info

[sachinkaushik]

@flouthoc Please find below output of podman info

podman info ::

host: arch: amd64 buildahVersion: 1.21.0 cgroupControllers: [] cgroupManager: cgroupfs cgroupVersion: v1 conmon: package: conmon-2.0.27-2.fc34.x86_64 path: /usr/bin/conmon version: 'conmon version 2.0.27, commit: ' cpus: 12 distribution: distribution: fedora version: "34" eventLogger: file hostname: cliservice-874f8bb78-rt7wt idMappings: gidmap:

• container_id: 0 host_id: 0 size: 4294967295 uidmap:
• container_id: 0 host_id: 0 size: 4294967295 kernel: 4.18.0-240.22.1.el8_3.x86_64 linkmode: dynamic memFree: 52187860992 memTotal: 67230187520 ociRuntime: name: crun package: crun-0.20.1-1.fc34.x86_64 path: /usr/bin/crun version: |- crun version 0.20.1 commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL os: linux remoteSocket: path: /run/user/1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.1.9-1.fc34.x86_64 version: |- slirp4netns version 1.1.8+dev commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876 libslirp: 4.4.0 SLIRP_CONFIG_VERSION_MAX: 3 libseccomp: 2.5.0 swapFree: 0 swapTotal: 0 uptime: 23h 53m 25.03s (Approximately 0.96 days) registries: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com: Blocked: false Insecure: true Location: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com MirrorByDigestOnly: false Mirrors: [] Prefix: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com quay.io: Blocked: false Insecure: true Location: quay.io MirrorByDigestOnly: false Mirrors: [] Prefix: quay.io search:
  • registry.fedoraproject.org
  • registry.access.redhat.com
  • registry.centos.org
  • docker.io
  • quay.io store: configFile: /home/podman/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: fuse-overlayfs-1.5.0-1.fc34.x86_64 Version: |- fusermount3 version: 3.10.4 fuse-overlayfs: version 1.5 FUSE library version 3.10.4 using FUSE kernel interface version 7.31 graphRoot: /home/podman/.local/share/containers/storage graphStatus: Backing Filesystem: overlayfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "false" imageStore: number: 4 runRoot: /run/user/1000/containers volumePath: /home/podman/.local/share/containers/storage/volumes version: APIVersion: 3.2.2 Built: 1624664959 BuiltTime: Fri Jun 25 23:49:19 2021 GitCommit: "" GoVersion: go1.16.4 OsArch: linux/amd64 Version: 3.2.2

I created container using below Dockerfile.

FROM quay.io/podman/stable:latest

RUN yum install -y \ python3-pip \ python3 python3-wheel \ git \ java-11-openjdk.x86_64

RUN pip install jupyterlab

USER podman

WORKDIR /data

ENTRYPOINT ["jupyter", "lab", "--port=8888", "--no-browser", "--ip=0.0.0.0", "--allow-root"]

---

[flouthoc]

@sachinkaushik try a smaller range and also add entry for root by adding this to containerfile

RUN touch /etc/subgid /etc/subuid
&& chmod g=u /etc/subgid /etc/subuid /etc/passwd
&& echo root:165536:65536 > /etc/subuid
&& echo root:165536:65536 > /etc/subgid
&& echo containers:165536:65536 > /etc/subgid
&& echo containers:165536:65536 > /etc/subuid
&& echo podman:10000:5000 > /etc/subuid
&& echo podman:10000:5000 > /etc/subgid

[sachinkaushik]

@flouthoc I tried after adding above lines in Dockerfile but still same error.

---

FROM quay.io/podman/stable:latest

RUN touch /etc/subgid /etc/subuid \ && chmod g=u /etc/subgid /etc/subuid /etc/passwd \ && echo root:165536:65536 > /etc/subuid \ && echo root:165536:65536 > /etc/subgid \ && echo containers:165536:65536 > /etc/subgid \ && echo containers:165536:65536 > /etc/subuid \ && echo podman:10000:5000 > /etc/subuid \ && echo podman:10000:5000 > /etc/subgid

RUN yum install -y \ python3-pip \ python3 python3-wheel \ git \ java-11-openjdk.x86_64

RUN pip install jupyterlab

USER podman

WORKDIR /data

ENTRYPOINT ["jupyter", "lab", "--port=8888", "--no-browser", "--ip=0.0.0.0", "--allow-root"]

podman info :

[podman@cliservice-874f8bb78-xhfds hello-world-python]$ podman info host: arch: amd64 buildahVersion: 1.21.0 cgroupControllers: [] cgroupManager: cgroupfs cgroupVersion: v1 conmon: package: conmon-2.0.27-2.fc34.x86_64 path: /usr/bin/conmon version: 'conmon version 2.0.27, commit: ' cpus: 12 distribution: distribution: fedora version: "34" eventLogger: file hostname: cliservice-874f8bb78-xhfds idMappings: gidmap:

• container_id: 0 host_id: 0 size: 4294967295 uidmap:
• container_id: 0 host_id: 0 size: 4294967295 kernel: 4.18.0-240.22.1.el8_3.x86_64 linkmode: dynamic memFree: 50346074112 memTotal: 67230187520 ociRuntime: name: crun package: crun-0.20.1-1.fc34.x86_64 path: /usr/bin/crun version: |- crun version 0.20.1 commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL os: linux remoteSocket: path: /run/user/1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.1.9-1.fc34.x86_64 version: |- slirp4netns version 1.1.8+dev commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876 libslirp: 4.4.0 SLIRP_CONFIG_VERSION_MAX: 3 libseccomp: 2.5.0 swapFree: 0 swapTotal: 0 uptime: 24h 36m 38.11s (Approximately 1.00 days) registries: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com: Blocked: false Insecure: true Location: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com MirrorByDigestOnly: false Mirrors: [] Prefix: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com quay.io: Blocked: false Insecure: true Location: quay.io MirrorByDigestOnly: false Mirrors: [] Prefix: quay.io search:
  • registry.fedoraproject.org
  • registry.access.redhat.com
  • registry.centos.org
  • docker.io
  • quay.io store: configFile: /home/podman/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: fuse-overlayfs-1.5.0-1.fc34.x86_64 Version: |- fusermount3 version: 3.10.4 fuse-overlayfs: version 1.5 FUSE library version 3.10.4 using FUSE kernel interface version 7.31 graphRoot: /home/podman/.local/share/containers/storage graphStatus: Backing Filesystem: overlayfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "false" imageStore: number: 4 runRoot: /run/user/1000/containers volumePath: /home/podman/.local/share/containers/storage/volumes version: APIVersion: 3.2.2 Built: 1624664959 BuiltTime: Fri Jun 25 23:49:19 2021 GitCommit: "" GoVersion: go1.16.4 OsArch: linux/amd64 Version: 3.2.2

[sachinkaushik]

@flouthoc @umohnani8 any update on this?

[flouthoc]

@sachinkaushik Could you share contents of /etc/subuid and /etc/subgid from your container.

[sachinkaushik]

@flouthoc Please find below same.

[podman@cliservice-688f5bb747-4d6nb hello-world-python]$ cat /etc/subuid podman:10000:5000 [podman@cliservice-688f5bb747-4d6nb hello-world-python]$ cat /etc/subgid podman:10000:5000

[flouthoc]

@sachinkaushik does your deployment/pod spec contains ? Although i am unsure if this is going to help or not.

     securityContext:
       privileged: true
       runAsUser: 10000

[sachinkaushik]

@flouthoc I have below config in deployment/pod spec. Do you want me add runAsUser: 1000 ?

securityContext: privileged: true

[flouthoc]

runAsUser: 10000 but i am really unsure if this is going to be of any help just give it a try.

[sachinkaushik]

@flouthoc I added in deployment yaml file, and still same error is there.

Same Error :

[flouthoc]

@sachinkaushik user was supposed to be 10000

[sachinkaushik]

@flouthoc after adding 10000, getting error "cannot find name for user ID 10000"

[flouthoc]

and what happens with you set runAsUser to 0 ?

[sachinkaushik]

@flouthoc After setting up runAsUser to 0. It just created a rootful container, And with rootful it is working fine already.

[flouthoc]

@sachinkaushik okay you can remove runAsUser from spec if you dont want it to be root or runAsUser: 1000 and use following command while performing build from inside of container podman build --security-opt seccomp=unconfined --cap-add all --isolation=chroot -t <image-name> .

[sachinkaushik]

@flouthoc I removed that config. And tried with command you mentioned above. Now there is below error.

error setting capabilities for process: error reading capabilities of current process: open /proc/self/status: permission denied

[flouthoc]

@sachinkaushik try with podman build --userns-gid-map-group podman --userns-uid-map-user podman -t <name> . and with podman build --isolation=chroot --userns-gid-map-group podman --userns-uid-map-user podman -t <name> . also could you please share output for both ?

[flouthoc]

@rhatdan @umohnani8 could you guys please let me know if the case is documented or ever tried before for using rootless buildah within a rootless container i think we might have hit a bug not sure.

[sachinkaushik]

@flouthoc I tried with both, please find below output of both commands.

podman build --userns-gid-map-group podman --userns-uid-map-user podman -t img .

podman build --isolation=chroot --userns-gid-map-group podman --userns-uid-map-user podman -t img .

[flouthoc]

@sachinkaushik I think this should solve try this , this might look weird but give it a shot this should fix your use case. Add this to dockerfile which is being used to start container, please make sure values are exact.

RUN echo test:1000:1 >> /etc/subuid
RUN echo test:1000:5000 >> /etc/subgid

Exec into Pod

Step 1

cat /etc/subuid Should look like

podman:10000:5000
test:1000:1

Step 2

cat /etc/subgid should look like

podman:10000:5000
test:1000:5000

Try running the build using

podman build --isolation=chroot --userns-gid-map-group test --userns-uid-map-user test -t img .

Eveything should work fine, please use steps 1 and 2 to verify things before running build

[sachinkaushik]

@flouthoc Do I have to use below lines also in containerfile ?

RUN touch /etc/subgid /etc/subuid \ && chmod g=u /etc/subgid /etc/subuid /etc/passwd \ && echo root:165536:65536 > /etc/subuid \ && echo root:165536:65536 > /etc/subgid \ && echo containers:165536:65536 > /etc/subgid \ && echo containers:165536:65536 > /etc/subuid \ && echo podman:10000:5000 > /etc/subuid \ && echo podman:10000:5000 > /etc/subgid

[flouthoc]

@sachinkaushik not needed you can remove all these and add just

RUN echo test:1000:1 >> /etc/subuid
RUN echo test:1000:5000 >> /etc/subgid

[flouthoc]

@sachinkaushik So i was able to reproduce and these steps worked for me so verify every step before performing the build from https://github.com/containers/podman/issues/10864#issuecomment-879764837 and also add runAsUser:1000 if needed.

[sachinkaushik]

@flouthoc Yes Thank you...!!!,

This is working for now. But Are we going with approach? I mean passing args while we build container image?

Because this feature will be used by end Users. So we don't want to force them to pass all those args while creating container image.

[flouthoc]

@sachinkaushik Cheers !!! :tada: :tada: :rocket: , it should unblock you and there should be no problem with using flags but i still think there is bug. Let @rhatdan and @umohnani8 confirm.

[sachinkaushik]

@flouthoc Thank you for help and support..!!! :)

We tried without test user, instead of this we just set range of Ids for podman user only.

&& echo podman:1000:1 > /etc/subuid \ && echo podman:1000:5000 > /etc/subgid

This is also working just with below same command.

podman build --isolation=chroot --userns-gid-map-group podman --userns-uid-map-user test -t podman .

[flouthoc]

@sachinkaushik Cheers !!!! Yes this should work with any user including podman. Lets wait for @umohnani8 and @rhatdan to have a look then we can decide if we want to close issue by settling on this solution or should seek a better approach or mark this as a bug to be fixed.