Running podman as a non-login user is possible?

[q2dg]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

I want a web page can run Podman container simply clicking in a button. This web page is done in PHP, so I'm using its system("podman command...") function to achieve this. But it does nothing (I've tried exec(), shell_exec() and passthru() function too with the same effect). Nothing: any output in web, any error in error.log file. I suspect, though, it's something related to "apache" user, as you will see in next pharagraphs.

Steps to reproduce the issue:

1.For instance, if you run php -r "system('podman version');" in a shell having logged with your regular user, it works perfectly. But if you run sudo -u apache php -r "system('podman version');" I get this error messages:

WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available
WARN[0000] For using systemd, you may need to login using an user session
WARN[0000] Alternatively, you can enable lingering with: loginctl enable-linger 48 (possibly as root)
WARN[0000] Falling back to --cgroup-manager=cgroupfs
Error: error creating runtime static files directory: mkdir /usr/share/httpd/.local: permission denied

Describe the results you received:

I get the same error shown above having an entry in /etc/subuid and /etc/subgid related to host's "apache" user, so I'm not sure if this is important or not. It seems it's related to the fact that "apache" user have'nt logged in system so Systemd doesn't recognize as a valid user for running podman (I don't know the inners to understand why is this).

Describe the results you expected:

I want to run podman commands via apache user as any standard regular user

Output of podman version:

Version: 3.1.2
API Version: 3.1.2
Go Version: go1.16
Built: Thu Apr 22 15:11:28 2021
OS/Arch: linux/amd64

Output of podman info --debug:

host:
arch: amd64
buildahVersion: 1.20.1
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.0.27-2.fc34.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.27, commit: '
cpus: 8
distribution:
distribution: fedora
version: "34"
eventLogger: journald
hostname: pepito
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.11.17-300.fc34.x86_64
linkmode: dynamic
memFree: 12440694784
memTotal: 16647036928
ociRuntime:
name: crun
package: crun-0.19.1-2.fc34.x86_64
path: /usr/bin/crun
version: |-
crun version 0.19.1
commit: 1535fedf0b83fb898d449f9680000f729ba719f5
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
selinuxEnabled: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.1.9-1.fc34.x86_64
version: |-
slirp4netns version 1.1.8+dev
commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876
libslirp: 4.4.0
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.0
swapFree: 8589930496
swapTotal: 8589930496
uptime: 4h 13m 50.52s (Approximately 0.17 days)
registries:
search:

• registry.fedoraproject.org
• registry.access.redhat.com
• docker.io
• quay.io
  store:
  configFile: /home/q2dg/.config/containers/storage.conf
  containerStore:
  number: 0
  paused: 0
  running: 0
  stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/q2dg/.local/share/containers/storage
  graphStatus:
  Backing Filesystem: extfs
  Native Overlay Diff: "false"
  Supports d_type: "true"
  Using metacopy: "false"
  imageStore:
  number: 2
  runRoot: /run/user/1000/containers
  volumePath: /home/q2dg/.local/share/containers/storage/volumes
  version:
  APIVersion: 3.1.2
  Built: 1619097088
  BuiltTime: Thu Apr 22 15:11:28 2021
  GitCommit: ""
  GoVersion: go1.16
  OsArch: linux/amd64
  Version: 3.1.2

Package info (e.g. output of rpm -q podman or apt list podman):

podman-3.1.2-1.fc34.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

A physical Fedora 33 system

Thanks!!

[mheon]

Podman requires a full login session. This means it cannot be used from within a sudo or su shell, unless the user in question has lingering enabled with the ‘loginctl enable-linger’ command. It also looks like you’re using a system user who may not have entries in /etc/subuid and /etc/subgid.

…

On Tue, May 11, 2021 at 07:37 Osqui LittleRiver ***@***.***> wrote: *Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)* /kind feature *Description* I want a web page can run Podman container simply clicking in a button. This web page is done in PHP, so I'm using its system("podman command...") function to achieve this. But it does nothing (I've tried exec(), shell_exec() and passthru() function too with the same effect). Nothing: any output in web, any error in error.log file. I suspect, though, it's something related to "apache" user, as you will see in next pharagraphs. *Steps to reproduce the issue:* 1.For instance, if you run *php -r "system('podman version');*" in a shell having logged with your regular user, it works perfectly. But if you run *sudo -u apache php -r "system('podman version');"* I get this error messages: WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available WARN[0000] For using systemd, you may need to login using an user session WARN[0000] Alternatively, you can enable lingering with: loginctl enable-linger 48 (possibly as root) WARN[0000] Falling back to --cgroup-manager=cgroupfs Error: error creating runtime static files directory: mkdir /usr/share/httpd/.local: permission denied *Describe the results you received:* I get the same error shown above having an entry in /etc/subuid and /etc/subgid related to host's "apache" user, so I'm not sure if this is important or not. It seems it's related to the fact that "apache" user have'nt logged in system so Systemd doesn't recognize as a valid user for running podman (I don't know the inners to understand why is this). *Describe the results you expected:* I want to run podman commands via apache user as any standard regular user *Output of podman version:* Version: 3.1.2 API Version: 3.1.2 Go Version: go1.16 Built: Thu Apr 22 15:11:28 2021 OS/Arch: linux/amd64 *Output of podman info --debug:* host: arch: amd64 buildahVersion: 1.20.1 cgroupManager: systemd cgroupVersion: v2 conmon: package: conmon-2.0.27-2.fc34.x86_64 path: /usr/bin/conmon version: 'conmon version 2.0.27, commit: ' cpus: 8 distribution: distribution: fedora version: "34" eventLogger: journald hostname: pepito idMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 kernel: 5.11.17-300.fc34.x86_64 linkmode: dynamic memFree: 12440694784 memTotal: 16647036928 ociRuntime: name: crun package: crun-0.19.1-2.fc34.x86_64 path: /usr/bin/crun version: |- crun version 0.19.1 commit: 1535fedf0b83fb898d449f9680000f729ba719f5 spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL os: linux remoteSocket: path: /run/user/1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true selinuxEnabled: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.1.9-1.fc34.x86_64 version: |- slirp4netns version 1.1.8+dev commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876 libslirp: 4.4.0 SLIRP_CONFIG_VERSION_MAX: 3 libseccomp: 2.5.0 swapFree: 8589930496 swapTotal: 8589930496 uptime: 4h 13m 50.52s (Approximately 0.17 days) registries: search: - registry.fedoraproject.org - registry.access.redhat.com - docker.io - quay.io store: configFile: /home/q2dg/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: {} graphRoot: /home/q2dg/.local/share/containers/storage graphStatus: Backing Filesystem: extfs Native Overlay Diff: "false" Supports d_type: "true" Using metacopy: "false" imageStore: number: 2 runRoot: /run/user/1000/containers volumePath: /home/q2dg/.local/share/containers/storage/volumes version: APIVersion: 3.1.2 Built: 1619097088 BuiltTime: Thu Apr 22 15:11:28 2021 GitCommit: "" GoVersion: go1.16 OsArch: linux/amd64 Version: 3.1.2 *Package info (e.g. output of rpm -q podman or apt list podman):* podman-3.1.2-1.fc34.x86_64 *Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md <https://github.com/containers/podman/blob/master/troubleshooting.md>)* Yes *Additional environment details (AWS, VirtualBox, physical, etc.):* A physical Fedora 33 system Thanks!! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#10308>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCC6VJ5BY5YRDB3MCULTNEJIRANCNFSM44VGXMGA> .

[q2dg]

Thanks!
Well, using sudo or su it's not my main goal...my query is more about how can I achieve apache user could run podman commands. I get the same error if I have a /etc/subuid and /etc/subgid files like this ("q2dg" is my regular user):

q2dg:100000:65536
apache:165637:65536

I wanted to see how Cockpit-podman works but my coding skills are very poor.
Thanks!

[q2dg]

Oh, some progress! If I do loginctl enable-linger apache, I only get this error:

Error: error creating runtime static files directory: mkdir /usr/share/httpd/.local: permission denied

[q2dg]

Well, if I do sudo chown -R apache:apache /usr/share/httpd I get this error:
Error: chown /usr/share/httpd/.local/share/containers/storage/overlay/l: operation not permitted

If I do sudo chmod -R o+rwx /usr/share/httpd I get this error ("48" is the apache's user UID):
Error: chown /run/user/48/containers/overlay: operation not permitted

[mheon]

We do require the user have a writable home directory by default, but paths can be adjusted via configuration file to point to any directory the user has write access to.

…

On Tue, May 11, 2021 at 08:01 Osqui LittleRiver ***@***.***> wrote: Well, if I do *sudo chown -R apache:apache /usr/share/httpd* I get this error: Error: chown /usr/share/httpd/.local/share/containers/storage/overlay/l: operation not permitted If I do *sudo chmod -R o+rwx /usr/share/httpd* I get this error ("48" is the apache's user UID): Error: chown /run/user/48/containers/overlay: operation not permitted — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#10308 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCCNKHRT24JA55LMQPLTNEMB5ANCNFSM44VGXMGA> .

[q2dg]

Oooh, yeah, I've seen! It's rootless_storage_path = "$HOME/.local/share/containers/storage" line in "/etc/containers/storage.conf" file. I'll try to mess things and I'll inform you back soon (and, hopefully, close this issue). Thanks a lot!

[q2dg]

Well, there's no good news.I've put rootless_storage_path="/opt/apache" line in "/etc/container/storage.conf" file and I've created this folder with owner/group "apache" and 777 permissions. Then, when I execute sudo -u apache php -r "system('podman version');" I get the error:
Error: chown /opt/apache/overlay/l: operation not permitted

If I change storage driver from "overlay" to "vfs", I get the same error:
Error: chown /opt/apache/vfs: operation not permitted

What's going on with this problematic "chown"?

[mheon]

Are you on an SELinux enabled distribution? SELinux is the next thing I’d recommend you check if so.

…

On Wed, May 12, 2021 at 05:56 Osqui LittleRiver ***@***.***> wrote: Well, there's no good news.I've put *rootless_storage_path="/opt/apache"* and I've create this folder with owner/group "apache" and 777 permissions. When I execute *sudo -u apache php -r "system('podman version');"* I get the error: Error: chown /opt/apache/overlay/l: operation not permitted If I change storage driver from "overlay" to "vfs", I get the same error: Error: chown /opt/apache/vfs: operation not permitted — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#10308 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB3AOCH6ZD5SLPTT4NE232LTNJGEBANCNFSM44VGXMGA> .

[q2dg]

Hello!
Thanks for your interest.
Yes, it was the first thing I checked: I have SELinux disabled.
It's really strange ...:-(

[sbravor64]

Hello!

In an ubuntu server 20.04.1, I've put rootless_storage_path="/opt/apache" line in "/etc/container/storage.conf", file and I've created this folder with owner/group "apache" and 777 permissions and it works for me, but only with simple commands like "podman version", "podman container ls" ... etc

If I do sudo -u www-data php -r "system('podman version');" command output appears correctly
cannot chdir: Permission denied
Version: 3.0.1
API Version: 3.0.0
Go Version: go1.15.2
Built: Thu Jan 1 01:00:00 1970
OS/Arch: linux/amd64

but if I do sudo -u www-data php -r "system('podman pull docker.io/library/mariadb');" I get this error
cannot chdir: Permission denied
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x5578f00113a6]

goroutine 1 [running]:
github.com/containers/podman/libpod/image.(*Runtime).New(0x0, 0x5578f0ac05c0, 0xc0003ad950, 0x7ffd320a587b, 0x19, 0x0, 0x0, 0x0, 0x0, 0x5578f0a84be0, ...)
/usr/src/packages/BUILD/src/github.com/containers/podman/libpod/image/image.go:163 +0x166
github.com/containers/podman/pkg/domain/infra/abi.pull(0x5578f0ac05c0, 0xc0003ad950, 0x0, 0x7ffd320a587b, 0x19, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/usr/src/packages/BUILD/src/github.com/containers/podman/pkg/domain/infra/abi/images.go:250 +0xb5e
github.com/containers/podman/pkg/domain/infra/abi.(*ImageEngine).Pull(0xc000010640, 0x5578f0ac05c0, 0xc0003ad950, 0x7ffd320a587b, 0x19, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/usr/src/packages/BUILD/src/github.com/containers/podman/pkg/domain/infra/abi/images.go:298 +0xac
github.com/containers/podman/cmd/podman/images.imagePull(0x5578f1564980, 0xc0003cc2c0, 0x1, 0x1, 0x0, 0x0)
/usr/src/packages/BUILD/src/github.com/containers/podman/cmd/podman/images/pull.go:159 +0x2b5
github.com/containers/podman/vendor/github.com/spf13/cobra.(*Command).execute(0x5578f1564980, 0xc00003c1a0, 0x1, 0x1, 0x5578f1564980, 0xc00003c1a0)
/usr/src/packages/BUILD/src/github.com/containers/podman/vendor/github.com/spf13/cobra/command.go:850 +0x47c
github.com/containers/podman/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x5578f1572b40, 0xc000040078, 0x5578f083f1e0, 0x5578f1622398)
/usr/src/packages/BUILD/src/github.com/containers/podman/vendor/github.com/spf13/cobra/command.go:958 +0x375
github.com/containers/podman/vendor/github.com/spf13/cobra.(*Command).Execute(...)
/usr/src/packages/BUILD/src/github.com/containers/podman/vendor/github.com/spf13/cobra/command.go:895
github.com/containers/podman/vendor/github.com/spf13/cobra.(*Command).ExecuteContext(...)
/usr/src/packages/BUILD/src/github.com/containers/podman/vendor/github.com/spf13/cobra/command.go:888
main.Execute()
/usr/src/packages/BUILD/src/github.com/containers/podman/cmd/podman/root.go:92 +0xee
main.main()
/usr/src/packages/BUILD/src/github.com/containers/podman/cmd/podman/main.go:36 +0x94

podman version:
Version: 3.0.1
API Version: 3.0.0
Go Version: go1.15.2
Built: Thu Jan 1 01:00:00 1970
OS/Arch: linux/amd64

ubuntu version:
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

[rhatdan]

Does podman info show the correct data?
What does podman unshare cat /proc/self/uid_map

Show?

Lastly what is your goal here? Why do you want to run rootless podman instead of rootfull podman with a --user apache?

[rhatdan]

If you want to run in a user namespace you can use --userns=auto.

[q2dg]

Thanks a lot for your interest.

Whatever I do you say (sudo -u apache podman info show ; sudo -u apache podman /proc/self/uid_map; sudo -u apache podman run --userns=auto whatever) I get the same error message:
"Error: chown /opt/apache/overlay/l: operation not permitted"

What I want to achieve is simply running direct comands like podman pull or podman run from a webpage using PHP's system()/exec()/shell_exec()...whatever functions. I want to offer a simple webform so that the user could create and run simple containers on a remote server with some characteristics put in the inputs of the webform (passed as POST variables to the arguments of the podman command).

I remind you that I've done these steps in a Fedora 34 with SELinux disabled:
-Running sudo loginctl enable-linger apache
-Adding the line apache:165537:65536 in "/etc/subuid" and "/etc/subgid" files (below the line myuser:100000:65536)
-Putting the line rootless_storage_path="/opt/apache" line in "/etc/container/storage.conf" file and then creating the "/opt/apache" folder with owner/group "apache" user and 777 permissions

Thanks a lot again and sorry for my stubbornness

PD: Error from @sbravor64 is a bit diferent from mine...and it seems more serious...

[rhatdan]

I have a feeling something is going wrong with the user namespace.
Does this fail?

sudo -u apache podman info
sudo -u apache podman unshare cat /proc/self/uid_map

[q2dg]

Yes. Both commands say ("q2dg" is my username):

"cannot chdir to /home/q2dg: Permission denied
Error: chown /opt/apache/overlay/l: operation not permitted"

"/opt/apache" is owned by apache:apache user/group, it has 777 permissions and my system has SELinux disabled. Moreover, I've made "/opt/apache" the home folder of apache user inside "/etc/passwd" file.

Thanks

[rhatdan]

sudo -u apache id
sudo -u apache printenv

[q2dg]

uid=48(apache) gid=48(apache) groups=48(apache)

COLORTERM=truecolor
HISTSIZE=1000
HOSTNAME=pepito
XAUTHORITY=/run/user/1000/gdm/Xauthority
USERNAME=q2dg
LANG=ca_ES.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:.tar=01;31:.tgz=01;31:.arc=01;31:.arj=01;31:.taz=01;31:.lha=01;31:.lz4=01;31:.lzh=01;31:.lzma=01;31:.tlz=01;31:.txz=01;31:.tzo=01;31:.t7z=01;31:.zip=01;31:.z=01;31:.dz=01;31:.gz=01;31:.lrz=01;31:.lz=01;31:.lzo=01;31:.xz=01;31:.zst=01;31:.tzst=01;31:.bz2=01;31:.bz=01;31:.tbz=01;31:.tbz2=01;31:.tz=01;31:.deb=01;31:.rpm=01;31:.jar=01;31:.war=01;31:.ear=01;31:.sar=01;31:.rar=01;31:.alz=01;31:.ace=01;31:.zoo=01;31:.cpio=01;31:.7z=01;31:.rz=01;31:.cab=01;31:.wim=01;31:.swm=01;31:.dwm=01;31:.esd=01;31:.jpg=01;35:.jpeg=01;35:.mjpg=01;35:.mjpeg=01;35:.gif=01;35:.bmp=01;35:.pbm=01;35:.pgm=01;35:.ppm=01;35:.tga=01;35:.xbm=01;35:.xpm=01;35:.tif=01;35:.tiff=01;35:.png=01;35:.svg=01;35:.svgz=01;35:.mng=01;35:.pcx=01;35:.mov=01;35:.mpg=01;35:.mpeg=01;35:.m2v=01;35:.mkv=01;35:.webm=01;35:.webp=01;35:.ogm=01;35:.mp4=01;35:.m4v=01;35:.mp4v=01;35:.vob=01;35:.qt=01;35:.nuv=01;35:.wmv=01;35:.asf=01;35:.rm=01;35:.rmvb=01;35:.flc=01;35:.avi=01;35:.fli=01;35:.flv=01;35:.gl=01;35:.dl=01;35:.xcf=01;35:.xwd=01;35:.yuv=01;35:.cgm=01;35:.emf=01;35:.ogv=01;35:.ogx=01;35:.aac=01;36:.au=01;36:.flac=01;36:.m4a=01;36:.mid=01;36:.midi=01;36:.mka=01;36:.mp3=01;36:.mpc=01;36:.ogg=01;36:.ra=01;36:.wav=01;36:.oga=01;36:.opus=01;36:.spx=01;36:.xspf=01;36:
TERM=xterm-256color
DISPLAY=:0
MAIL=/var/spool/mail/q2dg
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LOGNAME=apache
USER=apache
HOME=/opt/apache
SHELL=/sbin/nologin
SUDO_COMMAND=/usr/bin/printenv
SUDO_USER=q2dg
SUDO_UID=1000
SUDO_GID=1000

Thanks!

[rhatdan]

Podman requires the XDG_RUNTIME_DIR to be set, to run correctly.

[q2dg]

Thanks.
If I do sudo -u apache XDG_RUNTIME_DIR=/run/user/48 php -r "system('podman version');"
(where "48" is the UID of "apache" user), I still get the same error:

cannot chdir to /home/q2dg: Permission denied
Error: chown /opt/apache/overlay/l: operation not permitted

If this variable is required, maybe this misbehaviour is somewhat related to the access by apache user to some (session) DBus channel?

[q2dg]

Well, maybe this comment could have the clue...: https://stackoverflow.com/a/57303690
I'll investigate further.

[rhatdan]

Not sure if this is causing issues?
USERNAME=q2dg

BTW what is the permissions on /opt directory?

I just went through the process, and set up my apache account to work, without a problem.

# mkdir /home/apache
# chown apache:apache -R /home/apache
# restorecon -R -v /home/apache
# cat /etc/subuid
dwalsh:100000:65536
containers:2147483647:2147483648
apache:165536:10000
# grep apache /etc/passwd
apache:x:48:48:Apache:/home/apache:/sbin/nologin
# sudo -u apache podman run fedora id
WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available 
WARN[0000] For using systemd, you may need to login using an user session 
WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 48` (possibly as root) 
WARN[0000] Falling back to --cgroup-manager=cgroupfs    
WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available 
WARN[0000] For using systemd, you may need to login using an user session 
WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 48` (possibly as root) 
WARN[0000] Falling back to --cgroup-manager=cgroupfs    
Resolved "fedora" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob 7679c09af385 done  
Copying config 3567369c67 done  
Writing manifest to image destination
Storing signatures
uid=0(root) gid=0(root) groups=0(root)

[q2dg]

Well, there must be something weird in my system that I can't see because doing the same as you (I mean, using "/home" folder instead of "/opt") I keep getting the same error...:

cannot chdir to /home/q2dg: Permission denied
Error: chown /home/apache/overlay/l: operation not permitted

...even when I do sudo -u apache USERNAME=apache podman version

In fact, my "/home" and "/opt" folders are equivalent in terms of permissions and owners:

[q2dg@pepito ~]$ ls -ld /home
drwxr-xr-x. 5 root root 4096 15 maig 12:39 /home
[q2dg@pepito ~]$ ls -ld /opt
drwxr-xr-x. 7 root root 4096 12 maig 11:40 /opt

Thanks a lot for your interest and sorry for disturbing you.

[q2dg]

Well, summarizing... I've done explained steps below in a fresh new Fedora 34 Workstation system (with any configuration changes from default settings and with all packages upgraded till today: kernel is 5.11.21-300 and podman is 3.1.2) and in a fresh new Ubuntu 21.04 Desktop system too (with kernel is 5.11.0-17 and podman is 3.0.1 and no configuration changes neither).

*In Fedora:

1.-I've disabled SELinux putting the SELINUX=disabled line in "/etc/selinux/config" and I've rebooted the system
2.-I've installed the following packages: podman httpd php
3.-I've added the apache:165537:65536 line in "/etc/subuid" and "/etc/subgid" files
4.-I've run the sudo chown -R apache:apache /usr/share/httpd command, since the "/usr/share/httpd" folder appears in "/etc/passwd" as Apache user's home
5.-I've run the sudo loginctl enable-linger apache command and I rebooted the system.
6.-I've run these commands to create a D-Bus session channel as Apache user (as it is explained in https://stackoverflow.com/questions/20213563/php-dbus-stable-implementation/57303690#57303690): sudo -u apache sh -c "export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/48/bus && dbus-daemon --fork --session --print-address 1 --address='unix:path=/run/user/48/bus'" (Apache user's ID is 48 in Fedora)
7.-Finally, I've run this test command: sudo -u apache XDG_RUNTIME_DIR=/run/user/48 USERNAME=apache php -r "system('podman version');"

Whatever I do, I always get the same error:
cannot chdir to /home/usuari: Permission denied ("usuari" is my regular desktop user)
Error: chown /usr/share/httpd/.local/share/containers/storage/overlay/l: operation not permitted

*In Ubuntu (it's the same as above, only changing Apache user's name, ID and paths):

1.-I've installed the following packages: podman apache2 libapache2-mod-php
2.-I've added the apache:165537:65536 line in "/etc/subuid" and "/etc/subgid" files
3.-I've run the sudo chown -R www-data:www-data /var/www command, since the "/var/www" folder appears in "/etc/passwd" as Apache user's home
4.-I've run the sudo loginctl enable-linger www-data command and I rebooted the system.
5.-I've run these commands to create a D-Bus session channel as Apache user (as it's explained in Fedora example above): sudo -u www-data sh -c "export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/33/bus && dbus-daemon --fork --session --print-address 1 --address='unix:path=/run/user/33/bus'" (Apache user's ID is 33 in Ubuntu)
6.-Finally, I've run this test command: sudo -u www-data XDG_RUNTIME_DIR=/run/user/33 USERNAME=www-data php -r "system('podman version');"

Whatever I do, I always get the same error:
cannot chdir: Permission denied
Error: chown /var/www/.local/share/containers/storage/overlay/l: operation not permitted

In conclusion:

Both systems fails in the same manner and I don't know what else to do.

Thanks a lot for your patiente.

[rhatdan]

We could set up a joint debugging session, where I can look at your setup via a shared screen. In Google Meet.
I am in the Boston Timezone.

[q2dg]

Oh, my English is very poor and I also don't listen very well, so maybe we have some communication problems, but if you don't mind "wasting your time", it's an honor for me! I live in Spain, so we have 7 hours difference: when it is 3:00 pm here, there it is 9:00 am ... knowing this, if you choose the time that suits you best, I can adapt to it. Anyway, if you want to try it for your convenience, you will find the problems that I have been reporting simply by installing (in a virtual machine; I use VirtualBox) a Fedora Workstation 34 using standard options. Thank you very much for your time and for your kindness!!

[rhatdan]

That is the thing, I have tried and it worked for me.

Send your email address to [email protected] and I will setup a meetup.

[q2dg]

Well, thanks to the splendid help of @rhatdan and @vrothberg I've got podman running as the apache user. Waiting for definitive solution in containers/common#580 , I'd want to summarize the (provisional) steps I've done. Specifically, in a Fedora Workstation 34 system...:

1.-I've disabled SELinux putting the SELINUX=disabled line in "/etc/selinux/config" and I've rebooted the system (maybe this step not necessary but I've not tried)
2.-I've installed the following packages: podman httpd php
3.-I've added the apache:165537:65536 line in "/etc/subuid" and "/etc/subgid" files
4.-I've run sudo chown -R apache:apache /usr/share/httpd, since the "/usr/share/httpd" folder appears in "/etc/passwd" as Apache user's home
5.-I've run sudo chsh -s /bin/bash apache (from "util-linux-user" package) to give to Apache user a shell (very bad idea!!, but for me doesn't matter...it's very ugly but it works)
6.-I've run sudo loginctl enable-linger apache and I rebooted the system: a new Apache user's session's instance of systemd should be started, then.

That's all. Since then, I can execute any podman command through a php interpreter run by Apache user simply writting this: sudo -i -u apache php -r "system('podman version');" I've also tried running "podman run ..." commands and it works too!!

The best part is that if I put some code like this ("< html >< body >< ?php system('podman version'); ? >< /body >< /html >") in a php file located inside my host's "/var/www/html" folder (suppose it's called "index.php") and then I open a browser and I go to http://127.0.0.1/index.php , it works too!!!

So I can finally run podman containers through a web page.
Thanks a lot to all.
If you don't mind, I'll close this issue and we'll be aware of containers/common#580

[rhatdan]

I would just say, I am sure you could get this working with SELinux fairly easily.