Is podman inside rootless podman possible? open /sys/fs/cgroup/cgroup.subtree_control: permission denied

[acromc]

Hi all and happy new year. I am trying to run podman (currently rootful e.g. sudo podman run -it alpine sh) inside rootless podman. However I am getting the following error

WARN[0000] Failed to add conmon to cgroupfs sandbox cgroup: error creating cgroup path /libpod_parent/conmon: open /sys/fs/cgroup/cgroup.subtree_control: permission denied 
Error: create `/sys/fs/cgroup/libpod_parent`: Permission denied: OCI permission denied

I am already using a volume for /var/lib/containers. Interestingly enough most files in /sys/ and /proc/ are owned by nobody:nogroup, does that have to do anything with the above error? Also the parent (i.e. rootless) container is running with privileged flag so I don't think there are any more permissions to give to the parent container

[rhatdan]

First could you give podman info output.

/sys and /proc ownership is correct since they are owned by root which is not mapped into the user namespace.

[acromc]

/sys and /proc ownership is correct since they are owned by root

Can I know why? doesn't this violate the whole purpose of being rootless where the parent unprivileged user becomes the root of everything inside the new user namespace?

[rhatdan]

Because the Kernel does not allow it, probbaly because of Security risk. We attempt to make your statement correct, within the limits of what we can do as a rootless user.

[rhatdan]

What command are you using to create the rootless podman?

[acromc]

@rhatdan I deeply apologize about the late response.
Here is the output of the outer (i.e. rootless) podman info which is itself running in a privileged k8s container for now

host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers:
    - cpuset
    - cpu
    - io
    - memory
    - hugetlb
    - pids
    - rdma
    - misc
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.5-r0
    path: /usr/bin/conmon
    version: "conmon version 2.1.5, commit: unknown"
  cpuUtilization:
    idlePercent: 77.06
    systemPercent: 8.86
    userPercent: 14.08
  cpus: 2
  distribution:
    distribution: alpine
    version: 3.17.0
  eventLogger: file
  hostname: myhostname
  idMappings:
    gidmap:
      - container_id: 0
        host_id: 14902
        size: 1
      - container_id: 1
        host_id: 114902
        size: 65536
    uidmap:
      - container_id: 0
        host_id: 14902
        size: 1
      - container_id: 1
        host_id: 114902
        size: 65536
  kernel: 5.15.0-56-generic
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 130424832
  memTotal: 4013912064
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.7.2-r0
    path: /usr/bin/crun
    version: |-
      crun version 1.7.2
      commit: 0356bf4aff9a133d655dc13b1d9ac9424706cac4
      rundir: /tmp/podman-run-14902/crun
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-14902/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-r0
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 1h 8m 14.00s (Approximately 0.04 days)
plugins:
  authorization: null
  log:
    - k8s-file
    - none
    - passthrough
  network:
    - bridge
    - macvlan
  volume:
    - local
registries:
  search:
    - docker.io
store:
  configFile: /home/myhostname/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/myhostname/.local/share/containers/storage
  graphRootAllocated: 39973924864
  graphRootUsed: 12601896960
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /tmp/podman-run-14902/containers
  volumePath: /home/myhostname/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 1670896833
  BuiltTime: Tue Dec 13 02:00:33 2022
  GitCommit: ""
  GoVersion: go1.19.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

And here is the response of the inner (i.e. rootful) sudo podman info

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
    - cpuset
    - cpu
    - io
    - memory
    - hugetlb
    - pids
    - rdma
    - misc
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: "conmon: /usr/bin/conmon"
    path: /usr/bin/conmon
    version: "conmon version 2.1.3, commit: unknown"
  cpus: 2
  distribution:
    codename: kinetic
    distribution: ubuntu
    version: "22.10"
  eventLogger: file
  hostname: myhostname2
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.15.0-56-generic
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 125763584
  memTotal: 4013912064
  ociRuntime:
    name: crun
    package: "crun: /usr/bin/crun"
    path: /usr/bin/crun
    version: |-
      crun version 1.5
      commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: "slirp4netns: /usr/bin/slirp4netns"
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 1h 13m 48.07s (Approximately 0.04 days)
plugins:
  log:
    - k8s-file
    - none
    - journald
  network:
    - bridge
    - macvlan
  volume:
    - local
registries: {}
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.4.4
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.17.3
  OsArch: linux/amd64
  Version: 3.4.4

And here is the output of sudo podman run -it --log-level debug alpine sh in the inner rootful podman

INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman run -it --log-level debug alpine sh) 
DEBU[0000] Merged system config "/usr/share/containers/containers.conf" 
DEBU[0000] Using conmon: "/usr/bin/conmon"              
DEBU[0000] Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver                           
DEBU[0000] Using graph root /var/lib/containers/storage 
DEBU[0000] Using run root /run/containers/storage       
DEBU[0000] Using static dir /var/lib/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/libpod                    
DEBU[0000] Using volume path /var/lib/containers/storage/volumes 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] cached value indicated that overlay is supported 
DEBU[0000] cached value indicated that metacopy is not being used 
DEBU[0000] cached value indicated that native-diff is not being used 
INFO[0000] Not using native diff for overlay, this may cause degraded performance for building images: failed to set opaque flag on middle layer: lsetxattr /var/lib/containers/storage/overlay/opaque-bug-check2092534520/l2/d: operation not permitted 
DEBU[0000] backingFs=extfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false 
INFO[0000] [graphdriver] using prior storage driver: overlay 
DEBU[0000] Initializing event backend file              
DEBU[0000] configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument 
DEBU[0000] configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument 
DEBU[0000] Using OCI runtime "/usr/bin/crun"            
INFO[0000] Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist 
DEBU[0000] Default CNI network name podman is unchangeable 
INFO[0000] Setting parallel job count to 7              
DEBU[0000] Pulling image alpine (policy: missing)       
DEBU[0000] Looking up image "alpine" in local containers storage 
DEBU[0000] Trying "alpine" ...                          
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf" 
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/shortnames.conf" 
DEBU[0000] Trying "docker.io/library/alpine:latest" ... 
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage]@49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] Found image "alpine" as "docker.io/library/alpine:latest" in local containers storage 
DEBU[0000] Found image "alpine" as "docker.io/library/alpine:latest" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage]@49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da) 
DEBU[0000] Looking up image "docker.io/library/alpine:latest" in local containers storage 
DEBU[0000] Trying "docker.io/library/alpine:latest" ... 
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage]@49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] Found image "docker.io/library/alpine:latest" as "docker.io/library/alpine:latest" in local containers storage 
DEBU[0000] Found image "docker.io/library/alpine:latest" as "docker.io/library/alpine:latest" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage]@49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da) 
DEBU[0000] Looking up image "alpine" in local containers storage 
DEBU[0000] Trying "alpine" ...                          
DEBU[0000] Trying "docker.io/library/alpine:latest" ... 
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage]@49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] Found image "alpine" as "docker.io/library/alpine:latest" in local containers storage 
DEBU[0000] Found image "alpine" as "docker.io/library/alpine:latest" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage]@49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da) 
DEBU[0000] Inspecting image 49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da 
DEBU[0000] exporting opaque data as blob "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] exporting opaque data as blob "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] exporting opaque data as blob "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] exporting opaque data as blob "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] Looking up image "alpine" in local containers storage 
DEBU[0000] Trying "alpine" ...                          
DEBU[0000] Trying "docker.io/library/alpine:latest" ... 
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage]@49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] Found image "alpine" as "docker.io/library/alpine:latest" in local containers storage 
DEBU[0000] Found image "alpine" as "docker.io/library/alpine:latest" in local containers storage ([overlay@/var/lib/containers/storage+/run/containers/storage]@49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da) 
DEBU[0000] Inspecting image 49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da 
DEBU[0000] exporting opaque data as blob "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] exporting opaque data as blob "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] exporting opaque data as blob "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] exporting opaque data as blob "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] Inspecting image 49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da 
DEBU[0000] using systemd mode: false                    
DEBU[0000] Adding exposed ports                         
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" 
DEBU[0000] Allocated lock 1 for container f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 
DEBU[0000] parsed reference into "[overlay@/var/lib/containers/storage+/run/containers/storage]@49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] exporting opaque data as blob "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" 
DEBU[0000] created container "f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747" 
DEBU[0000] container "f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747" has work directory "/var/lib/containers/storage/overlay-containers/f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747/userdata" 
DEBU[0000] container "f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747" has run directory "/run/containers/storage/overlay-containers/f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747/userdata" 
DEBU[0000] Handling terminal attach                     
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] cached value indicated that overlay is supported 
DEBU[0000] cached value indicated that metacopy is not being used 
DEBU[0000] backingFs=extfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false 
DEBU[0000] overlay: mount_data=,lowerdir=/var/lib/containers/storage/overlay/l/VQRHAOWIYF3IKGNBC2TWICBC3A,upperdir=/var/lib/containers/storage/overlay/ea96b06e0b913cf426dbc4a60c4122b1a1c5f85df1561b3a0314338ab7800727/diff,workdir=/var/lib/containers/storage/overlay/ea96b06e0b913cf426dbc4a60c4122b1a1c5f85df1561b3a0314338ab7800727/work 
DEBU[0000] mounted container "f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747" at "/var/lib/containers/storage/overlay/ea96b06e0b913cf426dbc4a60c4122b1a1c5f85df1561b3a0314338ab7800727/merged" 
DEBU[0000] Created root filesystem for container f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 at /var/lib/containers/storage/overlay/ea96b06e0b913cf426dbc4a60c4122b1a1c5f85df1561b3a0314338ab7800727/merged 
DEBU[0000] Made network namespace at /run/netns/cni-d786954b-ce06-34c7-4162-911372fccc01 for container f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 
INFO[0000] Got pod network &{Name:nostalgic_mahavira Namespace:nostalgic_mahavira ID:f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 NetNS:/run/netns/cni-d786954b-ce06-34c7-4162-911372fccc01 Networks:[{Name:podman Ifname:eth0}] RuntimeConfig:map[podman:{IP: MAC: PortMappings:[] Bandwidth:<nil> IpRanges:[]}] Aliases:map[]} 
INFO[0000] Adding pod nostalgic_mahavira_nostalgic_mahavira to CNI network "podman" (type=bridge) 
DEBU[0000] [0] CNI result: &{0.4.0 [{Name:cni-podman0 Mac:52:ff:92:57:6a:35 Sandbox:} {Name:vethd17e956b Mac:4a:99:46:07:5e:70 Sandbox:} {Name:eth0 Mac:fe:3c:1a:3b:df:11 Sandbox:/run/netns/cni-d786954b-ce06-34c7-4162-911372fccc01}] [{Version:4 Interface:0xc000042fd8 Address:{IP:10.88.0.3 Mask:ffff0000} Gateway:10.88.0.1}] [{Dst:{IP:0.0.0.0 Mask:00000000} GW:<nil>}] {[]  [] []}} 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode subscription 
DEBU[0000] Setting CGroup path for container f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 to /libpod_parent/libpod-f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Workdir "/" resolved to host path "/var/lib/containers/storage/overlay/ea96b06e0b913cf426dbc4a60c4122b1a1c5f85df1561b3a0314338ab7800727/merged" 
DEBU[0000] Created OCI spec for container f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 at /var/lib/containers/storage/overlay-containers/f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747/userdata/config.json 
DEBU[0000] /usr/bin/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /usr/bin/conmon               args="[--api-version 1 -c f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 -u f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 -r /usr/bin/crun -b /var/lib/containers/storage/overlay-containers/f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747/userdata -p /run/containers/storage/overlay-containers/f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747/userdata/pidfile -n nostalgic_mahavira --exit-dir /run/libpod/exits --full-attach -l k8s-file:/var/lib/containers/storage/overlay-containers/f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747/userdata/ctr.log --log-level debug --syslog -t --conmon-pidfile /run/containers/storage/overlay-containers/f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747]"
WARN[0000] Failed to add conmon to cgroupfs sandbox cgroup: error creating cgroup path /libpod_parent/conmon: open /sys/fs/cgroup/cgroup.subtree_control: permission denied 
DEBU[0000] Received: -1                                 
DEBU[0000] Cleaning up container f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 
DEBU[0000] Tearing down network namespace at /run/netns/cni-d786954b-ce06-34c7-4162-911372fccc01 for container f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 
INFO[0000] Got pod network &{Name:nostalgic_mahavira Namespace:nostalgic_mahavira ID:f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747 NetNS:/run/netns/cni-d786954b-ce06-34c7-4162-911372fccc01 Networks:[{Name:podman Ifname:eth0}] RuntimeConfig:map[podman:{IP: MAC: PortMappings:[] Bandwidth:<nil> IpRanges:[]}] Aliases:map[]} 
INFO[0000] Deleting pod nostalgic_mahavira_nostalgic_mahavira from CNI network "podman" (type=bridge) 
DEBU[0000] unmounted container "f78986b5fde2e41edd68f5908769323f00e7757b6e2e6a12e0d33772a420b747" 
DEBU[0000] ExitCode msg: "[conmon:d]: failed to write to /proc/self/oom_score_adj: permission denied\n\ncreate `/sys/fs/cgroup/libpod_parent`: permission denied: oci permission denied" 
Error: [conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied

create `/sys/fs/cgroup/libpod_parent`: Permission denied: OCI permission denied

[rhatdan]

@giuseppe PTAL

[giuseppe]

you need to have a writeable cgroup. I don't think we have a way to set it writeable, but we do it when the systemd mode is used.
Could you try adding --systemd=always to the command line? Does it bring you farther?

[acromc]

@giuseppe Thanks. I did try set --systemd=always for the outer rootless container and the inner rootful container worked perfectly when running the outer rootless container inside a privileged docker container on my machine. However I still got the same error when I run the outer rootless container inside a k8s privileged container. Is there an explanation for this?

[acromc]

Are you using cgroupv1 or cgroupv2 for k8s?

cgroups2 nodes

How does the cgroup configuration look like inside the k8s pod?

What do you mean by cgroup config? k8s API doesn't expose cgoups directly afaik (see container API if you're intrested). I am just using privileged k8s containers to bypass any restrictions altogether.

[acromc]

Also

just for me to understand, are you planning to run nested podman inside of a k7s privileged container?

Yes.

[giuseppe]

What do you mean by cgroup config? k8s API doesn't expose cgoups directly afaik (see container API if you're intrested). I am just using privileged k8s containers to bypass any restrictions altogether.

so the cgroup must be writeable. Is the cgroup file system writeable inside the k8s privileged pod?

[acromc]

@giuseppe I don't understand, if the inner rootful podman cannot run because the cgroup fs is read only in the k8s container, how did the outer rootless podman run without an issue in the first place? wouldn't this error occur in the outer rootless podman also since it is running inside the k8s container?

[giuseppe]

not really sure what is going on, I've never tried running Podman in such a configuration with two nested containers.