11:21 a.m.
Hi guys.
If I use 'uidmap' then container in a pod fails to start/run
with:
Error: error stat'ing file
`/var/lib/containers/storage/overlay-containers/18df20ff42cbe9c48807ccd1a529696b93638d81a431161a94d7caeb1f2b6c2b/userdata/shm`:
Permission denied: OCI permission denied
Quite a few "OCI permission" around the net but none
relating to that above I could find.
What might be a solution for the issue?
many thanks, L.
9 a.m.
On 5/15/21 11:21, lejeczek via Podman wrote:
Hi guys.
If I use 'uidmap' then container in a pod fails to start/run with:
Error: error stat'ing file
`/var/lib/containers/storage/overlay-containers/18df20ff42cbe9c48807ccd1a529696b93638d81a431161a94d7caeb1f2b6c2b/userdata/shm`:
Permission denied: OCI permission denied
Quite a few "OCI permission" around the net but none relating to that
above I could find.
What might be a solution for the issue?
many thanks, L.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
You uid map needs to be a subsection of the UIDs available within the
container. Also depending on the container technology used to launch
the container, you could get permission denied from SELinux, SECCPOMP,
Dropped capabilities ...
5:34 a.m.
On 17/05/2021 14:00, Daniel Walsh wrote:
On 5/15/21 11:21, lejeczek via Podman wrote:
> Hi guys.
>
> If I use 'uidmap' then container in a pod fails to
> start/run with:
>
> Error: error stat'ing file
>
`/var/lib/containers/storage/overlay-containers/18df20ff42cbe9c48807ccd1a529696b93638d81a431161a94d7caeb1f2b6c2b/userdata/shm`:
> Permission denied: OCI permission denied
>
> Quite a few "OCI permission" around the net but none
> relating to that above I could find.
> What might be a solution for the issue?
> many thanks, L.
Does not seem like SELinux(I'll investigate for silent). I
also make container 'privileged'. This is all as root and in
terms of UIDs in the image - those look pretty "standard":
all are =< 100 except for:
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
nogroup:x:65534:
Image itself is an Alpine with:
UID_MIN 1000
UID_MAX 60000
and host's:
-> $ cat /etc/subuid
podmanic:100000:65536
podmanic:200000:65536
podmanic:300000:65536
containers:400000:65536
cmd's relevant bits:
... run --privileged --uidmap 0:400000:60000 -dt
--restart=always --security-opt label=disable --pod
I know nothing about SECCPOMP and will have to research.
many thanks, L.
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
You uid map needs to be a subsection of the UIDs available
within the container. Also depending on the container
technology used to launch the container, you could get
permission denied from SELinux, SECCPOMP, Dropped
capabilities ... _______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
3:04 p.m.
On 5/18/21 05:34, lejeczek via Podman wrote:
On 17/05/2021 14:00, Daniel Walsh wrote:
> On 5/15/21 11:21, lejeczek via Podman wrote:
>> Hi guys.
>>
>> If I use 'uidmap' then container in a pod fails to start/run with:
>>
>> Error: error stat'ing file
>>
`/var/lib/containers/storage/overlay-containers/18df20ff42cbe9c48807ccd1a529696b93638d81a431161a94d7caeb1f2b6c2b/userdata/shm`:
>> Permission denied: OCI permission denied
>>
>> Quite a few "OCI permission" around the net but none relating to
>> that above I could find.
>> What might be a solution for the issue?
>> many thanks, L.
>> _______________________________________________
>> Podman mailing list -- podman(a)lists.podman.io
>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
> You uid map needs to be a subsection of the UIDs available within the
> container. Also depending on the container technology used to launch
> the container, you could get permission denied from SELinux,
> SECCPOMP, Dropped capabilities ...
Does not seem like SELinux(I'll investigate for silent). I also make
container 'privileged'. This is all as root and in terms of UIDs in
the image - those look pretty "standard": all are =< 100 except for:
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
nogroup:x:65534:
Image itself is an Alpine with:
UID_MIN 1000
UID_MAX 60000
and host's:
-> $ cat /etc/subuid
podmanic:100000:65536
podmanic:200000:65536
podmanic:300000:65536
containers:400000:65536
cmd's relevant bits:
... run --privileged --uidmap 0:400000:60000 -dt --restart=always
--security-opt label=disable --pod
The user running the container has to have control of
UID=400000->4059999 inside of the container?
I know nothing about SECCPOMP and will have to research.
many thanks, L.
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
8:14 a.m.
On 18/05/2021 20:04, Daniel Walsh wrote:
On 5/18/21 05:34, lejeczek via Podman wrote:
>
>
> On 17/05/2021 14:00, Daniel Walsh wrote:
>> On 5/15/21 11:21, lejeczek via Podman wrote:
>>> Hi guys.
>>>
>>> If I use 'uidmap' then container in a pod fails to
>>> start/run with:
>>>
>>> Error: error stat'ing file
>>>
`/var/lib/containers/storage/overlay-containers/18df20ff42cbe9c48807ccd1a529696b93638d81a431161a94d7caeb1f2b6c2b/userdata/shm`:
>>> Permission denied: OCI permission denied
>>>
>>> Quite a few "OCI permission" around the net but none
>>> relating to that above I could find.
>>> What might be a solution for the issue?
>>> many thanks, L.
>>> _______________________________________________
>>> Podman mailing list -- podman(a)lists.podman.io
>>> To unsubscribe send an email to
>>> podman-leave(a)lists.podman.io
>>
>> You uid map needs to be a subsection of the UIDs
>> available within the container. Also depending on the
>> container technology used to launch the container, you
>> could get permission denied from SELinux, SECCPOMP,
>> Dropped capabilities ...
> Does not seem like SELinux(I'll investigate for silent).
> I also make container 'privileged'. This is all as root
> and in terms of UIDs in the image - those look pretty
> "standard": all are =< 100 except for:
> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
> nogroup:x:65534:
>
> Image itself is an Alpine with:
> UID_MIN 1000
> UID_MAX 60000
>
> and host's:
> -> $ cat /etc/subuid
> podmanic:100000:65536
> podmanic:200000:65536
> podmanic:300000:65536
> containers:400000:65536
>
> cmd's relevant bits:
> ... run --privileged --uidmap 0:400000:60000 -dt
> --restart=always --security-opt label=disable --pod
>
The user running the container has to have control of
UID=400000->4059999 inside of the container?
I've lost the plot I confess.
Before I emailed this thread
to the list I read this -
https://opensource.com/article/18/12/podman-and-user-namespaces
(by you I understand)
Like I said "..This is all as root.." so "..The user
running the container has.." got me lost.
I do (again all as root):
-> $ export _NAME=fedora; sudo podman run --uidmap
0:100000:5000 -d --restart=always --security-opt
label=disable --name ${_NAME} fedora sleep 1000
and that works. When I do:
-> $ export _NAME=alpine; sudo podman run --uidmap
0:100000:5000 -d --restart=always --security-opt
label=disable --name ${_NAME} alpine sleep 1000
that also works.
But this:
-> $ export _NAME=alpine; podman run --uidmap 0:100000:5000
-d --restart=always --security-opt label=disable
--pod=${_POD} --name ${_NAME}.${_PROJ} alpine sleep 1000
So.. I've only put it into a pod - the only change - and..
...
Error: error stat'ing file
`/var/lib/containers/storage/overlay-containers/ba4f379ff9350553fdcea63e713d73a2898636b44853a22f575495761921715a/userdata/shm`:
Permission denied: OCI permission denied
I still do not get what I'm missing from that realm of UID maps.
many thanks, L.
> I know nothing about SECCPOMP and will have to research.
> many thanks, L.
>> _______________________________________________
>> Podman mailing list -- podman(a)lists.podman.io
>> To unsubscribe send an email to
>> podman-leave(a)lists.podman.io
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
1283
days inactive
1288
days old
4 comments
2 participants
participants (2)
-
Daniel Walsh -
lejeczek