systemd-homed user on xfs: Error processing tar file(exit status 1)

[felix2908]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

1. create a systemd-homed account on a xfs filesystem as directory

$ homectl inspect felix
   User name: felix
       State: active
 Disposition: regular
 Last Change: Wed 2022-05-11 19:51:21 CEST
 Last Passw.: Thu 2022-04-14 22:27:32 CEST
    Login OK: yes
 Password OK: yes
         UID: 60001
         GID: 60001 (felix)
 Aux. Groups: wheel
   Real Name: Felix
   Directory: /home/felix
     Storage: directory (no encryption)
  Image Path: /home/felix.homedir
   Removable: no
       Shell: /bin/bash
 Mount Flags: suid dev exec
   Disk Size: 99.9G
   Disk Free: 85.0G (= 85.0%)
  Disk Floor: 5.0M
Disk Ceiling: 5.0T
  Good Auth.: 381
   Last Good: Wed 2022-05-11 19:51:23 CEST
   Bad Auth.: 390
    Last Bad: Wed 2022-05-11 19:51:21 CEST
    Next Try: anytime
 Auth. Limit: 30 attempts per 1min
   Passwords: 1
  Local Sig.: yes
     Service: io.systemd.Home

$ cat /etc/subuid
dev:100000:65536
felix:600000:65536

cat /etc/subgid
dev:100000:65536
felix:600000:65536

2. Try to pull the fedora-toolbox image.

3. It fails on a systemd-homed account

Describe the results you received:

$ podman pull registry.fedoraproject.org/fedora-toolbox:36
Trying to pull registry.fedoraproject.org/fedora-toolbox:36...
Getting image source signatures
Copying blob 0646506641be done  
Copying blob 0b4379796b67 done  
Error: writing blob: adding layer with blob "sha256:0b4379796b67bc456d46545bc18b429bf595776234968da435c9227cc1249bce": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 0:12 for /var/spool/mail): Check /etc/subuid and /etc/subgid if configured locally and run podman-system-migrate: lchown /var/spool/mail: invalid argument

Describe the results you expected:

On my (dev) normal Unix account it works. On my (felix) systemd-homed account it fails.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

$ podman version
Client:       Podman Engine
Version:      4.1.0
API Version:  4.1.0
Go Version:   go1.18.1
Git Commit:   e4b03902052294d4f342a185bb54702ed5bed8b1
Built:        Fri May  6 20:18:30 2022
OS/Arch:      linux/amd64

Output of podman info --debug:

($ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.26.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.0-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.0, commit: bdb4f6e56cd193d40b75ffc9725d4b74a18cb33c'
  cpuUtilization:
    idlePercent: 98.56
    systemPercent: 0.3
    userPercent: 1.13
  cpus: 16
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: arch
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 60001
      size: 1
    - container_id: 1
      host_id: 600000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 60001
      size: 1
    - container_id: 1
      host_id: 600000
      size: 65536
  kernel: 5.17.5-arch1-2
  linkmode: dynamic
  logDriver: journald
  memFree: 28994682880
  memTotal: 33645297664
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.4.5-1
    path: /usr/bin/crun
    version: |-
      crun version 1.4.5
      commit: c381048530aa750495cf502ddb7181f2ded5b400
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/60001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.0-1
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 17179860992
  swapTotal: 17179860992
  uptime: 1h 2m 38.44s (Approximately 0.04 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/felix/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/felix/.local/share/containers/storage
  graphRootAllocated: 107321753600
  graphRootUsed: 15988015104
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/user/60001/containers
  volumePath: /home/felix/.local/share/containers/storage/volumes
version:
  APIVersion: 4.1.0
  Built: 1651861110
  BuiltTime: Fri May  6 20:18:30 2022
  GitCommit: e4b03902052294d4f342a185bb54702ed5bed8b1
  GoVersion: go1.18.1
  Os: linux
  OsArch: linux/amd64
  Version: 4.1.0

)

Package info (e.g. output of rpm -q podman or apt list podman):

$ pacman -Qi podman
Name            : podman
Version         : 4.1.0-1
Description     : Tool and library for running OCI-based containers in pods
Architecture    : x86_64
URL             : https://github.com/containers/podman
Licenses        : Apache
Groups          : None
Provides        : None
Depends On      : conmon  containers-common  crun  iptables
                  libdevmapper.so=1.02-64  libgpgme.so=11-64
                  libseccomp.so=2-64  slirp4netns
Optional Deps   : apparmor: for AppArmor support
                  btrfs-progs: support btrfs backend devices [installed]
                  netavark: for a new container-network-stack implementation
                  [installed]
                  podman-compose: for docker-compose compatibility
                  podman-docker: for Docker-compatible CLI
Required By     : toolbox
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 63,26 MiB
Packager        : David Runge <dvzrv@archlinux.org>
Build Date      : Fr 06 Mai 2022 20:18:30 CEST
Install Date    : Mo 09 Mai 2022 12:51:56 CEST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

[Luap99]

@giuseppe PTAL

[giuseppe]

systemd-homed already runs in a user namespace. Could you share the output of cat /proc/self/uid_map?

[felix2908]

[felix@arch ~]$ cat /proc/self/uid_map
         0          0 4294967295

[giuseppe]

Thanks. How does the user namespace created by Podman look like? You can check it with podman unshare cat /proc/self/uid_map

[felix2908]

[felix@arch ~]$ podman unshare cat /proc/self/uid_map
         0      60001          1
         1     600000      65536

[giuseppe]

Thanks.

Do you get any error if you try the following command?

podman unshare sh -c 'mkdir ~/.local/share/containers/storage/test; chown 0:12 ~/.local/share/containers/storage/test'

[felix2908]

[felix@arch ~]$ podman unshare sh -c 'mkdir ~/.local/share/containers/storage/test; chown 0:12 ~/.local/share/containers/storage/test'
chown: changing ownership of '/home/felix/.local/share/containers/storage/test': Invalid argument

[giuseppe]

I don't think there is anything we can do from Podman side to work in such environment. You might want to try ignore_chown_errors = "true" in storage.conf but that affects how images are stored since all the files are owned by root.

[felix2908]

thx for your help!