Closed leiless closed 4 days ago
First podman 3.4 is super outdated and we only support the latest version upstream.
However I do not see how you mapping can ever be valid. Rootless podman already runs inside the user namesapce setup according to the subuid/subgid files so the mapping for the container is relative to this (see podman unshare cat /proc/self/uid_map /proc/self/gid_map). This means $SUBGID_MAP_FROM would actully need to be 1 here
Sounds like you are trying to do a mapping similat to userns keep-id
$ podman run --userns keep-id quay.io/libpod/testimage:20240123 cat /proc/self/uid_map
0 1 1000
1000 0 1
1001 1001 64536
@Luap99 What if the container UID:GID is not the same as the the current rootless user’s UID:GID?
The --userns keep-id
would not work in this way.
You can pass uid,git to keep-id on newer versions https://github.com/containers/podman/blob/main/troubleshooting.md#39-podman-run-fails-with-error-unrecognized-namespace-mode-keep-iduid1000gid1000-passed
https://github.com/containers/podman/blob/main/troubleshooting.md#solution-36
FROM alpine:3.20
ARG NEW_UID=65532
ARG NEW_GID=65532
RUN set -eufxo pipefail && \
apk add --no-cache shadow && \
groupadd --gid $NEW_GID nonroot && \
useradd --create-home --shell /bin/sh --uid $NEW_UID --gid $NEW_GID nonroot && \
apk del --no-cache shadow
USER nonroot
WORKDIR /home/nonroot
docker build --rm -t local/podman-alpine-regular-user-image .
CONTAINER_UID=65532
CONTAINER_GID=65532
SUBUID_SIZE=$(grep -w "^$USER" /etc/subuid | cut -d: -f3)
SUBGID_SIZE=$(grep -w "^$USER" /etc/subgid | cut -d: -f3)
set -x
podman run -it --rm \
-v "$HOME/.local/share":/test \
-w /test \
--user $CONTAINER_UID:$CONTAINER_GID \
--uidmap 0:1:$CONTAINER_UID \
--uidmap $CONTAINER_UID:0:1 \
--uidmap $((CONTAINER_UID+1)):$((CONTAINER_UID+1)):$((SUBUID_SIZE-CONTAINER_UID)) \
--gidmap 0:1:$CONTAINER_GID \
--gidmap $CONTAINER_GID:0:1 \
--gidmap $((CONTAINER_GID+1)):$((CONTAINER_GID+1)):$((SUBGID_SIZE-CONTAINER_GID)) \
local/podman-alpine-regular-user-image
+ podman run -it --rm -v /home/lei/.local/share:/test -w /test --user 65532:65532 --uidmap 0:1:65532 --uidmap 65532:0:1 --uidmap 65533:65533:4 --gidmap 0:1:65532 --gidmap 65532:0:1 --gidmap 65533:65533:4 local/podman-alpine-regular-user-image
/test $ ls -ld man
drwxr-xr-x 3 nonroot nonroot 4096 May 13 01:17 man
/test $ whoami
nonroot
/test $ id -u nonroot
65532
/test $ id -g nonroot
65532
/test $ cat /proc/self/uid_map
0 1 65532
65532 0 1
65533 65533 4
/test $ cat /proc/self/gid_map
0 1 65532
65532 0 1
65533 65533 4
FYI, -user $CONTAINER_UID:$CONTAINER_GID
is optional, since we already changed user to nonroot
in Dockerfile, so the default container uid:gid is nonroot:nonroot
.
@Luap99 Hi again, after checking the uidmap docs, I still don't understand how those uid/gid mappings works in podman. Especially:
--uidmap 0:1:$CONTAINER_UID \
--uidmap $CONTAINER_UID:0:1 \
--uidmap $((CONTAINER_UID+1)):$((CONTAINER_UID+1)):$((SUBUID_SIZE-CONTAINER_UID)) \
--gidmap 0:1:$CONTAINER_GID \
--gidmap $CONTAINER_GID:0:1 \
--gidmap $((CONTAINER_GID+1)):$((CONTAINER_GID+1)):$((SUBGID_SIZE-CONTAINER_GID)) \
Could you explain this to me? 🥹
Issue Description
When running a simple
podman run
command, I get an error:Error: writing file
/proc/450976/gid_map: Operation not permitted: OCI permission denied
.Steps to reproduce the issue
Steps to reproduce the issue
1. The Dockerfile
2. Build the image
3. Script to run the container
Describe the results you received
Describe the results you expected
I expect the podman container run successfully.
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
Additional environment details
Additional information
I'm not using SELinux and AppArmor.