Running podman rootless gives ERRO[0000] cannot setup namespace using newuidmap: exit status 1

[kdubois]

/kind bug

Hi, I just installed Podman on Fedora 29 but running anything rootless gives me the error:

ERRO[0000] cannot setup namespace using newuidmap: exit status 1

eg.

$ podman info
ERRO[0000] cannot setup namespace using newuidmap: exit status 1

I made sure my username is in /etc/subuid and /etc/subgid:

$ cat /etc/subuid
kdubois:100000:65536

$ cat /etc/subgid
kdubois:100000:65536

Running podman as root works fine:

$ sudo podman info
host:
  BuildahVersion: 1.7.1
  Conmon:
    package: podman-1.1.2-1.git0ad9b6b.fc29.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: a95a49d3038462d033f84ac314ec8a3064a99cff'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 8967946240
  MemTotal: 33567715328
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 16852709376
  SwapTotal: 16852709376
  arch: amd64
  cpus: 8
  hostname: kdubois-redhat
  kernel: 4.20.13-200.fc29.x86_64
  os: linux
  rootless: false
  uptime: 27h 46m 28.7s (Approximately 1.12 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mountopt=nodev
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 1
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Steps to reproduce the issue:

1. sudo dnf install podman

2. podman info

Output of podman version:

$ podman version
Version:            1.1.2
RemoteAPI Version:  1
Go Version:         go1.11.5
Git Commit:         a95a49d3038462d033f84ac314ec8a3064a99cff
Built:              Tue Mar  5 19:10:31 2019
OS/Arch:            linux/amd64

Output of podman info --debug:

$ sudo podman info --debug
debug:
  compiler: gc
  git commit: a95a49d3038462d033f84ac314ec8a3064a99cff
  go version: go1.11.5
  podman version: 1.1.2
host:
  BuildahVersion: 1.7.1
  Conmon:
    package: podman-1.1.2-1.git0ad9b6b.fc29.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: a95a49d3038462d033f84ac314ec8a3064a99cff'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 8933810176
  MemTotal: 33567715328
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 16852709376
  SwapTotal: 16852709376
  arch: amd64
  cpus: 8
  hostname: kdubois-redhat
  kernel: 4.20.13-200.fc29.x86_64
  os: linux
  rootless: false
  uptime: 27h 50m 30.71s (Approximately 1.12 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mountopt=nodev
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 1
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical Fedora 29 install

[rhatdan]

Does buildah unshare work?
rpm -qV shadow-utils
Did you setup your homedir as noexec?

[kdubois]

It looks like just restarting my session did the trick 😅

[alcir]

Same problem here, but restarting the session doesn't resolve the issue.

[mheon]

Do you have /etc/subuid and /etc/subgid? What are their contents?

[alcir]

Do you have /etc/subuid and /etc/subgid? What are their contents?

Yes.

cat /etc/subgid
fedora:100000:65536
alciregi:165536:65536
radio:231072:65536

cat /etc/subuid
fedora:100000:65536
alciregi:165536:65536
radio:231072:65536

[mheon]

Podman version?
@giuseppe Do we print stdout/err from these on Master?

[alcir]

Podman version?

podman version
Version:            1.1.2
RemoteAPI Version:  1
Go Version:         go1.11.5
Git Commit:         a95a49d3038462d033f84ac314ec8a3064a99cff
Built:              Tue Mar  5 18:10:31 2019
OS/Arch:            linux/amd64

[alcir]

Mmm
Using strace I've seen

newuidmap: write to uid_map failed: Operation not permitted

Googling around I tried to

chmod 4755 /usr/bin/newgidmap
chmod 4755 /usr/bin/newuidmap

And now podman works.

[rhatdan]

Shadow utils does this by default with file capabilities. For some reason file caps were not working for you.
What is file system are you using for /usr?

[alcir]

File system is ext4. The fact is that this machine is a fedora image deployed on scaleway cloud provider. Maybe they have tinkered the base image in some way?

…

On Thu, Apr 4, 2019, 6:07 PM Daniel J Walsh ***@***.*** wrote: Shadow utils does this by default with file capabilities. For some reason file caps were not working for you. What is file system are you using for /usr? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2788 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADIka3OEo9MrJ-Lq2GKOTznoHnXmPRBCks5vdiNNgaJpZM4cPw98> .

[rhatdan]

rpm -qV --shadow-utils
Before your change.
They could have mounted the /usr as nosuid, but your change would not have fixed this.
On default Fedora 29
getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/newgidmap = cap_setgid+ep

These two capabilities should be all you need.

[alcir]

I will check asap on a new machine. Btw /usr is not a separate mountpoint, but it is part of the root partition.

…

On Thu, Apr 4, 2019, 6:38 PM Daniel J Walsh ***@***.*** wrote: rpm -qV --shadow-utils Before your change. They could have mounted the /usr as nosuid, but your change would not have fixed this. On default Fedora 29 getcap /usr/bin/newuidmap /usr/bin/newgidmap /usr/bin/newuidmap = cap_setuid+ep /usr/bin/newgidmap = cap_setgid+ep These two capabilities should be all you need. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2788 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADIka9H3e-spa9H2KKOChvqwUU1OF7Kfks5vdiqHgaJpZM4cPw98> .

[alcir]

rpm -qV shadow-utils
........P    /usr/bin/newgidmap
........P    /usr/bin/newuidmap

mount
/dev/vda1 on / type ext4 (rw,relatime,seclabel)

getcap /usr/bin/newuidmap /usr/bin/newgidmap doesn't return any result

[alcir]

Well, a followup (fresh install and full update):

dnf reinstall shadow-utils
...
Reinstalled:
  shadow-utils-2:4.6-4.fc29.x86_64

And now rpm -qV shadow-utils doesn't return anything, while getcap /usr/bin/newuidmap /usr/bin/newgidmap returns

/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/newgidmap = cap_setgid+ep

And podman works.

[rhatdan]

Super.

[funkytaco]

FYI, I had this error when I had two entries in /etc/subuid and the first entry was not sufficient resource access to use podman.

[priyanka19-98]

doesn't work for me,
here is the error:

[pjiandan@pjiandan ~]$ podman info
ERRO[0000] cannot setup namespace using newuidmap: exit status 1 

[pjiandan@pjiandan ~]$ sudo podman info
host:
  BuildahVersion: 1.6-dev
  Conmon:
    package: podman-1.0.0-2.git921f98f.module+el8+2785+ff8a053f.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.14.0-dev, commit: be8255a19cda8a598d76dfa49e16e337769d4528-dirty'
  Distribution:
    distribution: '"rhel"'
    version: "8.0"
  MemFree: 27608231936
  MemTotal: 33330409472
  OCIRuntime:
    package: runc-1.0.0-54.rc5.dev.git2abd837.module+el8+2769+577ad176.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.0'
  SwapFree: 8589930496
  SwapTotal: 8589930496
  arch: amd64
  cpus: 8
  hostname: pjiandan.remote.csb
  kernel: 4.18.0-80.11.2.el8_0.x86_64
  os: linux
  rootless: false
  uptime: 16m 15.99s
insecure registries:
  registries: []
registries:
  registries:
  - registry.redhat.io
  - quay.io
  - docker.io
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
  ImageStore:
    number: 1
  RunRoot: /var/run/containers/storage

Can anyone please help with this?

[rhatdan]

$ podman unshare cat /proc/self/uid_map

This should show you something like

podman unshare cat /proc/self/uid_map
         0       3267          1
         1     100000      65536

If this only shows 1 line, then you have not setup /etc/subuid and /etc/subgid properly or your newuidmap and newgidmap tools are not install properly.
sudo dnf reinstall shadow-utils

[agu3rra]

FYI, I had this error when I had two entries in /etc/subuid and the first entry was not sufficient resource access to use podman.

Mine worked after setting both subuid and subguid as podman:10000:1694527157. Running it rootless with --privileged flag in docker.

[ananthb]

I ran into this exact issue after migrating my user account to a systemd-homed managed account. Should I open a new issue or can we re-open this one?

[rkachach]

I ran in the same issue (on Fedora 35) and the proposed solution didn't work for me (granting setuid to /usr/bin/newuidmap and setcap cap_setuid+eip /usr/bin/newuidmap). I fixed the issue by running the following commands:

sudo chmod u-s /usr/bin/new[gu]idmap
setcap cap_setuid+eip /usr/bin/newuidmap
sudo setcap cap_setgid+eip /usr/bin/newgidmap

This fixed the error for me and I got podman info working for my normal user

[ananthb]

Podman info works for me even with the error. We may be having different issues. Is your user account managed by systemd-homed or is it a standard Linux account from /etc/passwd.

[SyamiliV]

If we set setuid for podman it works, now anyway to export container as tarfile as a non root user ?

[mheon]

Please do not use setuid for Podman, it's basically giving every user with access to Podman passwordless root on the system.

[SyamiliV]

hmm, if i remove i get this error

podman info
ERRO[0000] cannot setup namespace using newuidmap: exit status 1

[mheon]

Is newuidmap installed? Does it have the appropriate file capabilities set? Does the user you are running Podman as have UIDs and GIDs allocated in /etc/subuid and /etc/subgid

[SyamiliV]

yes mheon , newuidmap is installed and subuid and subgid is also mounted from the host.

[mheon]

Please open a fresh issue, then - this sounds like a different bug

[SyamiliV]

sure

[jannisbecker]

@alcir Thank you, that helped me out just now!
On Arch linux, the relevant package is called shadow. Reinstalling that with pacman -S shadow fixed it for me, no more issues.