Open Zivodor opened 1 month ago
podman-compose is a different repo. If you have a simple reproducer for this with straight podman that would be very helpful, otherwise this issue should be transferred to podman-compose.
Regardless of whether I use podman or podman-compose it fails with the same error. I ran the compose with debug, extracted the command it had generated and tried running it manually and it resulted in the same error.
A full system reset for the root user and the rootless podman user did temporarily resolved the issue for me. I believe it's related to quadlets as I had created a .container file for my Wireguard container, and after disabling that I stopped running into the issue.
I also tried just calling podman pull against the image and it resulted in the same error.
@giuseppe PTAL
can you share the result of:
podman unshare cat /proc/self/uid_map
does it reflect the configuration you've in etc/subuid
? If not, please run podman system migrate
and try again, do you still get the same output?
podman@project-hydra:~$ podman unshare cat /proc/self/uid_map
0 1001 1
1 165536 65536
It is as expected. I should also note that it is not a subset of packages like I originally believed. When trying to resolve the issue I performed a podman system reset, which resolved it. After that, I enabled my wireguard.container service and tried to pull down an image that had previously worked, but it got the same error.
After I stopped the service, disabled it, then did another system reset, I was able to pull all the images successfully. As soon as I enable that service I start to get this issue persistently until I reset it. I am going to share that as well:
[Container]
AddCapability=NET_ADMIN NET_RAW
ContainerName=wireguard
Environment=SERVERURL=[Correct Local Ip] SERVERPORT=[Correct Port] PEERS=# PEERDNS=auto INTERNAL_SUBNET=10.10.0.0/24
GIDMap=0:1:50
Image=docker.io/linuxserver/wireguard
Label=io.podman.compose.config-hash=4a0e91e3ad5f9fcf67930731fbf4d771c1b5f0f38ea6c5811c12c502c1304d21 io.podman.compose.project=wireguard io.podman.compose.version=1.1.0 PODMAN_SYSTEMD_UNIT=podman-compose@wireguard.service com.docker.compose.project=wireguard com.docker.compose.project.working_dir=/home/podman/appdata/wireguard com.docker.compose.project.config_files=podman-compose.yml com.docker.compose.container-number=1 com.docker.compose.service=wireguard
Network=wireguard-network
PublishPort=[Correct Port]:51820/udp
Sysctl=net.ipv4.conf.all.src_valid_mark=1 net.ipv4.conf.all.forwarding=1
UIDMap=0:1:50
Volume=/home/podman/appdata/wireguard/config:/config:Z
[Service]
Restart=always
[Install]
WantedBy=default.target
Alright, I don't think it has anything to do with my .container file. I am running into the issue with or without that file there.
I'm fairly new to all this stuff, but at the very least I can tell you that a full podman system reset does not reliably fix it. I had to delete the /home/podman/.local/share/containers/ directory in order to resolve the issue while testing today
I believe I am also running into the same or similar issue. I am running Fedora Server and have set up a few quadlets to run services as rootless containers. I also use UIDMap
to keep the mappings across containers disjoint. Today, I was trying to update my audiobookshelf service and pull the updated image. Initially, I updated the quadlet file to use the new image, but restarting the service was failing with the processing tar file(container ID 1000 cannot be mapped to a host ID): exit status 1
error. I thought that meant I needed to update my UIDMap
in some way, but I couldn't get it to work. Finally, I tried to simply pull the image and that also creates the error:
$ podman pull ghcr.io/advplyr/audiobookshelf:2.10.1
Trying to pull ghcr.io/advplyr/audiobookshelf:2.10.1...
Getting image source signatures
Copying blob 60dba4733d48 done |
Copying blob e376fac3bde8 done |
Copying blob a5edbc7b296b done |
Copying blob b404b3c3a52d done |
Copying blob d25f557d7f31 skipped: already exists
Copying blob 549237b48d78 done |
Copying blob 579ced6f4ee6 done |
Copying blob 0f5e4b3bfe3a done |
Copying blob 017d1384d304 done |
Copying blob 6a5424a2a7f4 done |
Copying blob 2b7b2cbf90bf done |
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:a5edbc7b296b518501cd1ac08999e0e4e399c55370bbbf7b1369503bbeb8957c": processing tar file(container ID 1000 cannot be mapped to a host ID): exit status 1
I've found that this also happens on image version 2.10.0, but 2.9.0 is able to successfully pull.
Issue Description
When attempting to create containers for some images the command fails with the error:
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:9f16480e2ff54481cb1ea1553429bf399e8269985ab0dec5b5af6f55ea747d3f": processing tar file(container ID 1000 cannot be mapped to a host ID): exit status 1
Steps to reproduce the issue
Steps to reproduce the issue
Describe the results you received
You can see the logs here
Describe the results you expected
Dashy should be pulled down and started successfully.
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
I am setting up my first home server on Debian 12.5. I have updated my deps to allow me to use the latest podman and podman-compose. As a part of that process I have set myself some semi-arbitrary security rules, not for any one specific reason more so for the learning experience and to get myself immersed in resolving issues. Some of these rules (and the ones I think are the likely culprits) are:
1) All containers must be run rootlessly, no exceptions 2) All services must only be accessible through Wireguard VPN 3) All services must use subuids and subgids
So far, this has been going... well. I have these services running and working well in rootless containers:
I am able to connect to my VPN and am able to navigate to my services using the urls configured in Caddy (using self-signed certificates) and everything just works.
The next phase of this was to setup a dashboard service as I have this oldish touchscreen all-in-one PC that I plan to use as a sort of terminal in my kitchen. I looked at these possibilities, of which all of them result in the above error when I try to pull them.
When I try to create any of these, whether through podman directly or through podman-compose, it fails with the error:
Error: copying system image from manifest list: writing blob: adding layer with blob sha256:9f16480e2ff54481cb1ea1553429bf399e8269985ab0dec5b5af6f55ea747d3f": processing tar file(container ID 1000 cannot be mapped to a host ID): exit status 1
This is my compose file:
My subuid and subgid files look like this:
In every compose file I have specified a uidmap using x-podman. This has worked for everything so far. I have tried adding/removing this option from the dashy config and it did not change anything.