Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is rootless container nested in rootless container possible? #10705

Closed
jpalus opened this issue Jun 17, 2021 · 6 comments
Closed

Is rootless container nested in rootless container possible? #10705

jpalus opened this issue Jun 17, 2021 · 6 comments
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. podman-in-container

Comments

@jpalus
Copy link

jpalus commented Jun 17, 2021

Actually not even nested container, but just podman import and podman push inside rootless container. Every podman command invoked inside container results in:

Error: cannot setup namespace using newuidmap: exit status 1

If strace is to be believed that's likely because of:

capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_SETUID, permitted=1<<CAP_SETUID, inheritable=0}) = -1 EPERM (Operation not permitted)

newuidmap has proper file capabilities.

Tried also with seccomp=unconfined but still same result. Anything I might be missing?
@mheon
Copy link
Member

mheon commented Jun 17, 2021 via email

@rhatdan
Copy link
Member

rhatdan commented Jun 18, 2021

Try using quay.io/podman/stable image.

$ podman run --security-opt label=disable --user podman quay.io/podman/stable podman run ubi8-micro echo hi
Resolved "ubi8-micro" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8-micro:latest...
Getting image source signatures
Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Copying blob sha256:c07a48b26be2472936706395deb5616e1e6b78f54ed6a8e0d19f1533dcbcd12b
Copying config sha256:f390b26f6a00561dbacfc5991a39a6845ff7968f8d18a319b68cc9c0f97dea73
Writing manifest to image destination
Storing signatures
hi

@jpalus
Copy link
Author

jpalus commented Jun 18, 2021

@rhatdan indeed if initial container is started like this then it works fine. newuidmap is not spawned then. However it does not seem to work if first container is started with full systemd inside. podman import doesn't work neither when invoked over ssh nor when run through podman exec into initial container. Should it work fine when run with systemd as well?

@rhatdan
Copy link
Member

rhatdan commented Jun 19, 2021

Could you give me a reproducer?

@jpalus
Copy link
Author

jpalus commented Jun 19, 2021

I'm on ARM machine right now hence base image is ARM, but swapping image to your architecture should do:

$ cat Containerfile
FROM docker.io/arm64v8/fedora
RUN yum -y install systemd podman openssh-server passwd
# fix caps
RUN yum -y reinstall shadow-utils
RUN useradd -m test
RUN echo -e 'password\npassword' | passwd test

$ podman build -t fedora-systemd .
...

$ podman run -d --name=systemd-container -p 2222:22 fedora-systemd /sbin/init
...

$ podman exec -u test systemd-container podman info
time="2021-06-19T10:29:37Z" level=warning msg="The cgroupv2 manager is set to systemd but there is no systemd user session available"
time="2021-06-19T10:29:37Z" level=warning msg="For using systemd, you may need to login using an user session"
time="2021-06-19T10:29:37Z" level=warning msg="Alternatively, you can enable lingering with: `loginctl enable-linger 1000` (possibly as root)"
time="2021-06-19T10:29:37Z" level=warning msg="Falling back to --cgroup-manager=cgroupfs"
Error: cannot setup namespace using newuidmap: exit status 1

$ ssh -p 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null test@localhost podman info
Warning: Permanently added '[localhost]:2222' (ED25519) to the list of known hosts.
test@localhost's password: 
Error: cannot setup namespace using newuidmap: exit status 1

@rhatdan
Copy link
Member

rhatdan commented Jul 1, 2021

We have just published

https://www.redhat.com/sysadmin/podman-inside-container
And
https://www.redhat.com/sysadmin/podman-inside-kubernetes

Please read these and see if they help solve your problem. Reopen if you need more information.

@rhatdan rhatdan closed this as completed Jul 1, 2021
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. podman-in-container
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jpalus @rhatdan @mheon