-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is there any chance to run rootless podman container inside another one? #4056
Comments
We're probably a bit closer with upstream/1.6.0 with crun in play, but I think there are still some hiccups. |
looks like newuidmap/newgidmap don't get enough privileges to setup the namespace. What is the result of In case that is empty, you may try with I am afraid the new*map programs miss the file capabilities, either because of the way Fedora images are built, or because they don't work correctly within overlayfs |
I've tried similar steps to yours and it seems to work fine:
so it must be something else going wrong |
is there any pause process running inside the container? Could you try |
@psmolkin had a chance to try it out? |
@giuseppe $ podman system migrate && podman --log-level debug --cgroup-manager cgroupfs unshare cat /proc/self/uid_map
WARN[0000] using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding subids
INFO[0000] running as rootless
DEBU[0000] using conmon: "/usr/libexec/podman/conmon"
DEBU[0000] Initializing boltdb state at /home/test/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/test/.local/share/containers/storage
DEBU[0000] Using run root /tmp/run-1001
DEBU[0000] Using static dir /home/test/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /tmp/run-1001/libpod/tmp
DEBU[0000] Using volume path /home/test/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs
DEBU[0000] backingFs=overlayfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false
DEBU[0000] Initializing event backend journald
DEBU[0000] using runtime "/usr/bin/crun"
DEBU[0000] using runtime "/usr/bin/runc"
0 1001 1
$ cat /etc/sub?id
test:100000:65536
test:100000:65536 |
I'm also trying to get to work, with the aim to eventually be able to run automated test suites that start local containers within an unprivileged docker or podman container. I'm able to get this far, with both After installing podman and confirming
The basic steps I'm following:
Am I missing something? I'm testing this locally with |
You'll probably want to run the outer container with either |
(I think seccomp will block the mount calls otherwise) |
Thanks for the tip, that does unfortunately defeat the whole point :(. Is there any chance this will be possible without |
Not without changes to the Seccomp profile (and potentially other things) - Seccomp blocks a lot of things (like the mount calls I mentioned) that we need to continue setup. |
https://stackoverflow.com/a/56856410 might be useful for this discussion too. |
Could you try to remove seccomp. The seccomp.json that Docker ships blocks the mount syscall, even if it was deemed safe by the kernel. IE non privileged mount is allowed for procfs/sysfs/bind mounts and fuse-mounts for non privileged users but it requires the mount syscall. The seccomp.json that we ship with Podman allows the mount syscall. You might need a couple of other syscalls that Docker blocks. Might be other issues as well. You could try to run podman within podman and see if this works. |
This issue had no activity for 30 days. In the absence of activity or the "do-not-close" label, the issue will be automatically closed within 7 days. |
We may want a tracker issue for this. I think we have 3-4 open issues about this. |
@rhatdan, I believe you're working on this at the moment. Would you open a tracker issue? |
I am using Docker, I do this in my Dockerfile. I do a build for go and libpod from scratch during docker build and also set the events_logger to file. The error gone away. But I have another issue similar to this reported issue. RUN sed -i 's/# events_logger = "journald"/events_logger = "file"/g' $GOPATH/src/github.com/containers/libpod/libpod.conf RUN cp /var/go/src/github.com/containers/libpod/libpod.conf /etc/containers/ |
Currently this requires a privileged container and it requires you to mount a different volume on /var/lib/containers/ |
So I would assume this to work:
but it doesn't:
|
Actually to get this to work, you would need to use fuse-overlay, since you are not allowed to use overlay as non root. |
This works |
@rhatdan thanks for updates! |
Don't really understand the question? |
thank you for your patients :) !
does indeed work! But trying to execute anything fails, with networking errors:
Or:
Tried EDIT: Copied the wrong second example and clarified my question. |
The newuidmap error in rootless mode vanishes if you assign a bigger subuid/subgid range on your host as you pointed out previously, e.g.: sudo sh -c "echo $(id -un):100000:200000 >> /etc/subuid"
sudo sh -c "echo $(id -gn):100000:200000 >> /etc/subgid" The file system error in my environment happens due to #8849: The error disappears when I
Though, when using docker to run the outer container, this is not necessary since |
I just had some success here. This is with
|
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d) (cherry picked from commit 1d60fda)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d) (cherry picked from commit 1d60fda)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d) (cherry picked from commit 1d60fda)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d) (cherry picked from commit 1d60fda)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d) (cherry picked from commit 1d60fda)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d) (cherry picked from commit 1d60fda)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d) (cherry picked from commit 1d60fda)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d)
We do *some* podman operations inside the COSA container. If running locally as the `builder` user podman will barf when trying to run newuidmap if we don't change up the subuid/subgid mappings. With this change we'll be able to test in our local rootless podman COSA container that `cosa push-container-manifest` works. In order to figure out this worked (at least for what limited podman manifest commands I'm running) I first followed the issue at [1] and realized I had success with the `quay.io/podman/stable` image and then looked inside the image to see what the mapping was. I then lifted the mapping from there [2] and applied it here and it works. Note that inside the pipeline right now (in OpenShift) we still run as a random user but that seems to still be working OK for us for pushing the manifest because it can't find the random UID/GID in /etc/{subuid,subgid} so it falls back to "rootless single mapping into the namespace". [1] containers/podman#4056 (comment) [2] https://github.com/containers/podman/blob/6e382d9ec2e6eb79a72537544341e496368b6c63/contrib/podmanimage/stable/Containerfile#L25-L26 (cherry picked from commit 5ffbf12) (cherry picked from commit a76d27d) (cherry picked from commit 1d60fda)
/kind feature
Description
I tried to run rootless podman inside another privileged container. But namespaces mapping doesn't work.
Steps to reproduce the issue:
Describe the results you received:
rootless single mapping
Describe the results you expected:
Something like this
Additional information you deem important (e.g. issue happens only occasionally):
Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Additional environment details (AWS, VirtualBox, physical, etc.):
Hyper-V
The text was updated successfully, but these errors were encountered: