podman official docker image failed at "error creating runtime static files directory"

[zensolution]

I build a docker image using the Dockerfile below,

FROM quay.io/containers/podman:latest
USER podman

When I run the image, enter the container shell and run the command "podman info", I got the following error.

sh-5.1$ podman info
Error: error creating runtime static files directory: mkdir /home/podman/.local/share/containers/storage: permission denied

As far as I know, the /home/podman/.local is under root user. Does anyone have suggestion?

[mheon]

@rhatdan Another podman-in-container

[rhatdan]

Please show us the docker command you are executing?

For now you need to execute --privileged.

[zensolution]

@rhatdan Thank you for your hint. That means I have to run podman as root. but I do want to run podman as rootless. Is is possible to run podman docker as rootless?

[zensolution]

I made it work by using the Dockerfile below,

FROM quay-io-mirror.dev-mgmt.nysdi.com/containers/podman:v3.1.2
RUN mkdir -p /home/podman/.local/share/containers/storage
RUN chown podman:podman -R /home/podman/.local
USER podman

Then, I deployed the image to k8s using the pod.yaml below,

apiVersion: v1
kind: Pod
metadata:
  name: static-web
spec:
  containers:
    - name: web
      image: internal.com/podman:0.5
      command: ["sleep", "3600"]
      securityContext:
        allowPrivilegeEscalation: true

So far, the only annoying thing is the warning "WARN[0000] Failed to detect the owner for the current cgroup: stat /sys/fs/cgroup/systemd/docker/9bd4182a1969adcaca76cf5dc9776058f68c7582f06683cbf6480fbe03522889: no such file or directory"

[rhatdan]

That should be fixed in podman 3.2.

[zensolution]

@rhatdan Thank you for updating. I am good for now. but it seems to be an issue that root is the ower of /home/podman/.local/share/containers/storage, which prevent podman to run as rootless. Workaround below works, but it is a hack.

RUN mkdir -p /home/podman/.local/share/containers/storage
RUN chown podman:podman -R /home/podman/.local

[rhatdan]

# podman version
Version:      3.2.0-rc2
API Version:  3.2.0-rc2
Go Version:   go1.16.3
Built:        Thu May 20 22:35:20 2021
OS/Arch:      linux/amd64

# podman run -ti --user podman quay.io/containers/podman:latest podman info
host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.29-dev, commit: 31614525ebc5fd9668a6e084b5638d71b903bf6d'
  cpus: 8
  distribution:
    distribution: fedora
    version: "34"
  eventLogger: file
  hostname: e77b513cda9f
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 5000
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 10000
      size: 5000
  kernel: 5.13.0-0.rc1.20210511git1140ab592e2e.14.fc35.x86_64
  linkmode: dynamic
  memFree: 765067264
  memTotal: 16376160256
  ociRuntime:
    name: crun
    package: crun-0.19.1-3.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.19.1
      commit: 1535fedf0b83fb898d449f9680000f729ba719f5
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.9-1.fc34.x86_64
    version: |-
      slirp4netns version 1.1.8+dev
      commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 16885211136
  swapTotal: 16886259712
  uptime: 4h 31m 11.41s (Approximately 0.17 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/podman/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.5.0-1.fc34.x86_64
      Version: |-
        fusermount3 version: 3.10.3
        fuse-overlayfs: version 1.5
        FUSE library version 3.10.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/podman/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /tmp/podman-run-1000/containers
  volumePath: /home/podman/.local/share/containers/storage/volumes
version:
  APIVersion: 3.2.0-dev
  Built: 1622017028
  BuiltTime: Wed May 26 08:17:08 2021
  GitCommit: e81457dc8e6632f4e9c7a4d240c9a73e8d509bb3
  GoVersion: go1.16.4
  OsArch: linux/amd64
  Version: 3.2.0-dev