Rootless podman with quadlet: newuidmap: write to uid_map failed: Operation not permitted

[andry-dev]

Issue Description

I am running some rootless containers using quadlet under an user kosuzu (uid=1001).
After executing devsec's os_hardening role and updating to Fedora 39, they won't start under systemd anymore with the following error:

level=error msg="running `/usr/bin/newuidmap 10979 0 1001 1 1 589824 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
level=error msg="invalid internal status, try resetting the pause process with \"/usr/bin/podman system migrate\": cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1"

Using podman from the shell works.
The shell is setup after SSH by running sudo -u kosuzu -s and then export XDG_RUNTIME_DIR=/run/user/$(id -u).

Neither running podman system migrate nor podman system reset inside the shell setup as above, or via systemd-run, resolve the issue:

# systemd-run --machine=kosuzu@ --quiet --user --collect --pipe --wait podman --log-level debug system migrate
INFO[0000] podman filtering at log level debug
DEBU[0000] Called migrate.PersistentPreRunE(podman --log-level debug system migrate)
DEBU[0000] Using conmon: "/usr/bin/conmon"
INFO[0000] Using sqlite as database backend
DEBU[0000] systemd-logind: Unknown object '/'.
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/kosuzu/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1001/containers
DEBU[0000] Using static dir /home/kosuzu/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1001/libpod/tmp
DEBU[0000] Using volume path /home/kosuzu/.local/share/containers/storage/volumes
DEBU[0000] Using transient store: false
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend journald
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Using OCI runtime "/usr/bin/crun"
INFO[0000] Setting parallel job count to 13
INFO[0000] Stopping all containers

I am not entirely sure it is a fault of the role, since I also updated to Fedora 39 in the meantime. The best guess I have right now is that, since the shell environment works fine, I have a broken configuration and/or a permission issue related to systemd's environment.

Thank you in advance for your help.

Steps to reproduce the issue

Steps to reproduce the issue

1. Create some quadlet definitions:

   ~/.config/containers/szn-caddy.container

   [Unit]
    Description=Caddy
   [Container]
   
   Image=docker.io/library/caddy:2.7-alpine
   
   # Omitting irrelevant settings
   
   GlobalArgs=--log-level debug
   [Service]
   
   Restart=on-failure
   
   # Before everything broke, the services ran fine with these hardening options:
   
   #PrivateHome=yes
   
   #PrivateMounts=yes
   
   #PrivateTmp=yes
   
   #ProtectKernelTunables=yes
   
   #LockPersonality=yes
   
   #ProtectSystem=strict
   
   #ProtectProc=invisible
   
   #SystemCallArchitectures=native
   
   #MemoryDenyWriteExecute=yes
   
   ReadWritePaths=# Some paths for caddy...
   
   ReadOnlyPaths=<home dir>/.config/containers/storage.conf # Other paths for caddy...
   [Install]
   
   WantedBy=multi-user.target default.target
   
   

   ~/.config/containers/szn-homeassistant.container

   [Unit]
    Description=Homeassistant
   [Container]
   
   Image=docker.io/homeassistant/home-assistant
   
   # Omitting irrelevant settings
   
   AddDevice=/dev/ttyUSB0:/dev/ttyUSB0:rw
   
   PodmanArgs=--group-add keep-groups
   
   GlobalArgs=--log-level debug
   [Service]
   
   Restart=on-failure
   
   ReadWritePaths=# Paths for HA...
   
   # The other hardening options, same as caddy's, are removed for brevity and because they don't change the result.
   [Install]
   
   WantedBy=multi-user.target default.target
   
   

2. (Maybe?) Apply devsec.hardening.os_hardening role as such:

   - role: devsec.hardening.os_hardening
     vars:
       hidepid_option: 0
       sysctl_overwrite:
         net.ipv4.ip_forward: 1
         net.ipv6.conf.all.forwarding: 1

3. Reboot and start the containers:

   systemctl --user daemon-reload
   systemctl --user start szn-caddy szn-homeassistant
   

Describe the results you received

From journalctl:

szn-caddy.service

Feb 19 10:30:56 hatate systemd[1196]: Starting szn-caddy.service - Caddy for SZN...
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=warning msg="The storage 'driver' option should be set in /home/kosuzu/.config/containers/storage.conf. A driver was picked automatically."
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=info msg="/usr/bin/podman filtering at log level debug"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Called run.PersistentPreRunE(/usr/bin/podman --log-level debug run --name=systemd-szn-caddy --cidfile=/run/user/1001/szn-caddy.cid --replace --rm --cgroups=split --network=systemd-szn-public --sdnotify=conmon -d -v /home/kosuzu/.local/share/szn/caddy/Caddyfile:/etc/caddy/Caddyfile:ro,Z -v /home/kosuzu/.local/share/szn/caddy/data:/data:Z -v /home/kosuzu/.local/share/szn/caddy/config:/config:Z --label io.containers.autoupdate=registry --publish 8080:80 --publish 4430:443 --publish 4430:443/udp docker.io/library/caddy:2.7-alpine)"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using conmon: \"/usr/bin/conmon\""
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=info msg="Using sqlite as database backend"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="systemd-logind: Unknown object '/'."
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using graph driver overlay"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using graph root /home/kosuzu/.local/share/containers/storage"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using run root /run/user/1001/containers"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using static dir /home/kosuzu/.local/share/containers/storage/libpod"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using tmp dir /run/user/1001/libpod/tmp"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using volume path /home/kosuzu/.local/share/containers/storage/volumes"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using transient store: false"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Not configuring container store"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Initializing event backend journald"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using OCI runtime \"/usr/bin/crun\""
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=info msg="Setting parallel job count to 13"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=error msg="running `/usr/bin/newuidmap 12568 0 1001 1 1 589824 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
Feb 19 10:30:56 hatate szn-caddy[12559]: time="2024-02-19T10:30:56+01:00" level=error msg="invalid internal status, try resetting the pause process with \"/usr/bin/podman system migrate\": cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1"
Feb 19 10:30:56 hatate systemd[1196]: szn-caddy.service: Main process exited, code=exited, status=1/FAILURE
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=warning msg="The storage 'driver' option should be set in /home/kosuzu/.config/containers/storage.conf. A driver was picked automatically."
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=info msg="/usr/bin/podman filtering at log level debug"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Called rm.PersistentPreRunE(/usr/bin/podman --log-level debug rm -v -f -i --cidfile=/run/user/1001/szn-caddy.cid)"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using conmon: \"/usr/bin/conmon\""
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=info msg="Using sqlite as database backend"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="systemd-logind: Unknown object '/'."
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using graph driver overlay"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using graph root /home/kosuzu/.local/share/containers/storage"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using run root /run/user/1001/containers"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using static dir /home/kosuzu/.local/share/containers/storage/libpod"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using tmp dir /run/user/1001/libpod/tmp"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using volume path /home/kosuzu/.local/share/containers/storage/volumes"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using transient store: false"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Not configuring container store"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Initializing event backend journald"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=debug msg="Using OCI runtime \"/usr/bin/crun\""
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=info msg="Setting parallel job count to 13"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=error msg="running `/usr/bin/newuidmap 12581 0 1001 1 1 589824 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
Feb 19 10:30:56 hatate szn-caddy[12571]: time="2024-02-19T10:30:56+01:00" level=error msg="invalid internal status, try resetting the pause process with \"/usr/bin/podman system migrate\": cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1"
Feb 19 10:30:56 hatate systemd[1196]: szn-caddy.service: Failed with result 'exit-code'.
Feb 19 10:30:56 hatate systemd[1196]: Failed to start szn-caddy.service - Caddy for SZN.

szn-homeassistant.service

Feb 19 10:27:56 hatate systemd[1196]: Starting szn-homeassistant.service - Homeassistant for SZN...
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=warning msg="The storage 'driver' option should be set in /home/kosuzu/.config/containers/storage.conf. A driver was picked automatically."
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=info msg="/usr/bin/podman filtering at log level debug"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Called run.PersistentPreRunE(/usr/bin/podman run --name=systemd-szn-homeassistant --cidfile=/run/user/1001/szn-homeassistant.cid --replace --rm --cgroups=split --network=systemd-szn-public --sdnotify=conmon -d --device=/dev/ttyUSB0:/dev/ttyUSB0:rw -v /home/kosuzu/.local/share/szn/homeassistant/config:/config:Z --label io.containers.autoupdate=registry --group-add keep-groups --log-level debug docker.io/homeassistant/home-assistant)"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Using conmon: \"/usr/bin/conmon\""
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=info msg="Using sqlite as database backend"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="systemd-logind: Unknown object '/'."
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Using graph driver overlay"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Using graph root /home/kosuzu/.local/share/containers/storage"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Using run root /run/user/1001/containers"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Using static dir /home/kosuzu/.local/share/containers/storage/libpod"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Using tmp dir /run/user/1001/libpod/tmp"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Using volume path /home/kosuzu/.local/share/containers/storage/volumes"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Using transient store: false"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Not configuring container store"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Initializing event backend journald"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=debug msg="Using OCI runtime \"/usr/bin/crun\""
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=info msg="Setting parallel job count to 13"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=error msg="running `/usr/bin/newuidmap 12183 0 1001 1 1 589824 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
Feb 19 10:27:57 hatate szn-homeassistant[12174]: time="2024-02-19T10:27:57+01:00" level=error msg="invalid internal status, try resetting the pause process with \"/usr/bin/podman system migrate\": cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1"
Feb 19 10:27:57 hatate systemd[1196]: szn-homeassistant.service: Main process exited, code=exited, status=1/FAILURE
Feb 19 10:27:57 hatate szn-homeassistant[12186]: time="2024-02-19T10:27:57+01:00" level=warning msg="The storage 'driver' option should be set in /home/kosuzu/.config/containers/storage.conf. A driver was picked automatically."
Feb 19 10:27:57 hatate szn-homeassistant[12186]: time="2024-02-19T10:27:57+01:00" level=error msg="running `/usr/bin/newuidmap 12196 0 1001 1 1 589824 65536`: newuidmap: write to uid_map failed: Operation not permitted\n"
Feb 19 10:27:57 hatate szn-homeassistant[12186]: time="2024-02-19T10:27:57+01:00" level=error msg="invalid internal status, try resetting the pause process with \"/usr/bin/podman system migrate\": cannot set up namespace using \"/usr/bin/newuidmap\": exit status 1"
Feb 19 10:27:57 hatate systemd[1196]: szn-homeassistant.service: Failed with result 'exit-code'.
Feb 19 10:27:57 hatate systemd[1196]: Failed to start szn-homeassistant.service - Homeassistant for SZN.

Describe the results you expected

Before running the role and updating to F39 the services ran fine, including when running with the hardening options shown in Caddy's container definition.

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.3
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.8-2.fc39.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: '
  cpuUtilization:
    idlePercent: 99.58
    systemPercent: 0.24
    userPercent: 0.18
  cpus: 4
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: server
    version: "39"
  eventLogger: journald
  freeLocks: 2048
  hostname: hatate
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 589824
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 589824
      size: 65536
  kernel: 6.7.4-200.fc39.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 524640256
  memTotal: 3912228864
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.10.0-1.fc39.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: netavark-1.10.3-1.fc39.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.14-1.fc39.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.14
      commit: 667e6ebd4e2442d39512e63215e79d693d0780aa
      rundir: /run/user/1001/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231230.gf091893-1.fc39.x86_64
    version: |
      pasta 0^20231230.gf091893-1.fc39.x86_64-pasta
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1001/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc39.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 3910660096
  swapTotal: 3911184384
  uptime: 12h 5m 39.00s (Approximately 0.50 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/kosuzu/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/kosuzu/.local/share/containers/storage
  graphRootAllocated: 126314610688
  graphRootUsed: 3571007488
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/user/1001/containers
  transientStore: false
  volumePath: /home/kosuzu/.local/share/containers/storage/volumes
version:
  APIVersion: 4.9.0
  Built: 1706090847
  BuiltTime: Wed Jan 24 11:07:27 2024
  GitCommit: ""
  GoVersion: go1.21.6
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

newuidmap and newgidmap have the correct capabilities:

$ getcap /usr/bin/newuidmap
/usr/bin/newuidmap cap_setuid=ep
$ getcap /usr/bin/newgidmap
/usr/bin/newgidmap cap_setgid=ep

They don't have suid bit set.

Here follows the contents of /etc/subuid and /etc/subgid:

$ grep . /etc/subuid /etc/subgid
/etc/subuid:andry:524288:65536
/etc/subuid:kosuzu:589824:65536
/etc/subgid:andry:524288:65536
/etc/subgid:kosuzu:589824:65536

The mounts inside /run have nosuid set, but this behaviour is the same as my desktop computer, which has not run the os_hardening role and is also on F39.

# mount
/dev/mapper/luks-da717b96-ffac-4475-9479-c1e4046dd9cf on / type btrfs (rw,relatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/root)
devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,seclabel,size=4096k,nr_inodes=471110,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,seclabel,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=764108k,nr_inodes=819200,mode=755,inode64)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=5537)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,seclabel,pagesize=2M)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,nr_inodes=1048576,inode64)
/dev/nvme0n1p2 on /boot type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/nvme0n1p1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/1001 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=382052k,nr_inodes=95513,mode=700,uid=1001,gid=1001,inode64)
/dev/mapper/luks-da717b96-ffac-4475-9479-c1e4046dd9cf on /var/lib/containers/storage/overlay type btrfs (rw,relatime,seclabel,compress=zstd:1,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/root)
tmpfs on /run/netns type tmpfs (rw,nodev,seclabel,size=764108k,nr_inodes=819200,mode=755,inode64)
shm on /var/lib/containers/storage/overlay-containers/540c3786da9b91e8990f00b53a8d89b6d9ce210fe7ca2424d0a1f12fa17d5e38/userdata/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,context="system_u:object_r:container_file_t:s0:c425,c561",size=64000k,inode64)
nsfs on /run/netns/netns-074eee77-7300-9761-ff89-a3fb658f3107 type nsfs (rw)
nsfs on /run/netns/netns-074eee77-7300-9761-ff89-a3fb658f3107 type nsfs (rw)
overlay on /var/lib/containers/storage/overlay/f28afe4ab2dc806e22f23a1b6cbfd4f44f01e641417169870b84314ac4919bbe/merged type overlay (rw,nodev,relatime,context="system_u:object_r:container_file_t:s0:c425,c561",lowerdir=/var/lib/containers/storage/overlay/l/RRJKBGNPYA7BNWWN5L46W6MEDD:/var/lib/containers/storage/overlay/l/NUMDJCKXUIVWE2ZUQCSUNK622A:/var/lib/containers/storage/overlay/l/6W3OLHL3IQCQRXBWDGXL7VLZF7:/var/lib/containers/storage/overlay/l/YBOZLT65NC7UEPBP64MQFBLFH6:/var/lib/containers/storage/overlay/l/NEHWS72CD6AKBSUFQ6HANF2I7C:/var/lib/containers/storage/overlay/l/DD7LPMR47KFVUEPDX6MZG6D3YE,upperdir=/var/lib/containers/storage/overlay/f28afe4ab2dc806e22f23a1b6cbfd4f44f01e641417169870b84314ac4919bbe/diff,workdir=/var/lib/containers/storage/overlay/f28afe4ab2dc806e22f23a1b6cbfd4f44f01e641417169870b84314ac4919bbe/work,redirect_dir=on,uuid=on,metacopy=on,volatile)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=382052k,nr_inodes=95513,mode=700,uid=1000,gid=1000,inode64)

Removing nosuid from fstab and re-mounting does not resolve the issue.

SELinux is set to enforcing with targeted policy, but setting it to permissive does not change anything.

Additional information

No response

[andry-dev]

Small update: it seems that the fault doesn't lie on devsec's role but on the systemd service unit.
When using any security lockdown option other than ProtectProc, podman will fail.
This has been tested on a Fedora 39 VM without running devsec's role.

Right now the definition for Caddy is as follows:

[Unit]
Description=Caddy for SZN

[Container]
Image=docker.io/library/caddy:2.7-alpine
Network=szn-public.network
Volume=/home/kosuzu/.local/share/szn/caddy/Caddyfile:/etc/caddy/Caddyfile:ro,Z
Volume=/home/kosuzu/.local/share/szn/caddy/data:/data:Z
Volume=/home/kosuzu/.local/share/szn/caddy/config:/config:Z
PublishPort=8080:80
PublishPort=4430:443
PublishPort=4430:443/udp
AutoUpdate=registry

[Service]
Restart=on-failure
ProtectProc=invisible

# ANY of these settings make podman crash on newuidmap
#ProtectHome=yes
#PrivateMounts=yes
#PrivateTmp=yes
#ProtectKernelTunables=yes
#LockPersonality=yes
#ProtectSystem=strict
#ReadWritePaths=/home/kosuzu/.local/share/szn/caddy/data /home/kosuzu/.local/share/szn/caddy/config
#ReadOnlyPaths=/home/kosuzu/.local/share/szn/caddy/Caddyfile /home/kosuzu/.config/containers/storage.conf

#SystemCallArchitectures=native
#MemoryDenyWriteExecute=yes


[Install]
WantedBy=multi-user.target default.target

; vim: ft=systemd

Maybe something changed with the systemd version introduced in Fedora 39?

[andry-dev]

Figured it out: the problem stems from the fact that apply the various Protect*, *Paths and so on on user-services imply PrivateUsers=true (see the manual systemd.exec(5)), but that option has the effect of dropping all the host capabilities, including CAP_SETUID and CAP_SETGID which are used by newuidmap/newgidmap. Trying to use AmbientCapabilities to restore them has no effect so, in general, the only "safe" sandboxing options for a rootless podman service are the following:

ProtectProc=invisible
# OR "ProtectProc=noaccess", depending on the service
SystemCallArchitectures=native
MemoryDenyWriteExecute=true

Note that, as documented in RedHat's article, SystemCallArchitecture and MemoryDenyWriteExecute imply NoNewPrivileges=true, which can make newuidmap fail if the namespace was not setup beforehand.
To make it work automatically, create a dummy service unit ~/.config/systemd/user/podman-usernamespace.service:

[Unit]
Description=podman-usernamespace.service

[Service]
Type=oneshot
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman unshare /bin/true
RemainAfterExit=yes

Then add After and Require to the container unit.

Probably on older versions of systemd either the Protect* options did not imply PrivateUsers or PrivateUsers didn't drop capabilities.

[megla-tlanghorst]

Did you ever find anything? I'm trying to restrict a docker CI builder, but even setting ReadOnlyPaths= triggers this behavior seemingly. Quite annoying since I don't want a CI job to be able to be able to change critical configuration or binaries.

[andry-dev]

Nope. The reason for that is that podman is basically already doing what systemd's PrivateUsers does. Even if you find a way to allow PrivateUsers to call newuidmap/newgidmap, the permissions for the podman process would be all wrong and it would not be able to read any path.

[megla-tlanghorst]

Not using podman, but docker rootless and I don't think I can lock paths that docker cannot write any other way. The problem is that of course docker already protects against all of that from inside the container, but I do not trust the source that creates the container / fear code escaping the container.

Especially the problem is that I have a docker running inside a privileged (has to be privileged) container and anyone who can start a CI job basically can create a privileged(or map stuff that they shouldn't) container inside the privileged container an escape that way onto the host at which point I can limit them anymore without systemd, which is why I) basically want everything to be readonly except docker's storage path. I don't fear the extraction of information but the injection of something malicious which is persistent.

[andry-dev]

I think that the best course of action is to ask systemd's maintainers to provide a way to specify additional capabilities for the initial call to PrivateUsers, so that docker/podman can use newuidmap, or to figure out a way to apply *Paths without creating a subuid.

One workaround is to use a container runner that you run inside another container (like in this forgejo-runner discussion); so basically doing, e.g., podman in podman.

Another workaround is to create a system-level unit and assign an User to it. In the manual systemd.exec(5), it says that units in /etc/systemd/system behave differently from user units. In particular, *Paths and the other hardening options do what they say on the tin. To make it even harder to exploit you can probably assign User to an user with no home?
This solution may be the easiest one, but I don't know if it works.

[megla-tlanghorst]

Thanks, I'll maybe try the system unit.

Container inside containers doesn't work though, as the outer container has to be privileged, effectively voiding all security restrictions.