5:34 a.m.
On 17/05/2021 14:00, Daniel Walsh wrote:
On 5/15/21 11:21, lejeczek via Podman wrote:
> Hi guys.
>
> If I use 'uidmap' then container in a pod fails to
> start/run with:
>
> Error: error stat'ing file
>
`/var/lib/containers/storage/overlay-containers/18df20ff42cbe9c48807ccd1a529696b93638d81a431161a94d7caeb1f2b6c2b/userdata/shm`:
> Permission denied: OCI permission denied
>
> Quite a few "OCI permission" around the net but none
> relating to that above I could find.
> What might be a solution for the issue?
> many thanks, L.
Does not seem like SELinux(I'll investigate for silent). I
also make container 'privileged'. This is all as root and in
terms of UIDs in the image - those look pretty "standard":
all are =< 100 except for:
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
nogroup:x:65534:
Image itself is an Alpine with:
UID_MIN 1000
UID_MAX 60000
and host's:
-> $ cat /etc/subuid
podmanic:100000:65536
podmanic:200000:65536
podmanic:300000:65536
containers:400000:65536
cmd's relevant bits:
... run --privileged --uidmap 0:400000:60000 -dt
--restart=always --security-opt label=disable --pod
I know nothing about SECCPOMP and will have to research.
many thanks, L.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
You uid map needs to be a subsection of the UIDs available
within the container. Also depending on the container
technology used to launch the container, you could get
permission denied from SELinux, SECCPOMP, Dropped
capabilities ... _______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io