[Podman] Re: OCI permission denied from '--uidmap'

On 17/05/2021 14:00, Daniel Walsh wrote: > On 5/15/21 11:21, lejeczek via Podman wrote: >> Hi guys. >> >> If I use 'uidmap' then container in a pod fails to start/run with: >> >> Error: error stat'ing file >> `/var/lib/containers/storage/overlay-containers/18df20ff42cbe9c48807ccd1a529696b93638d81a431161a94d7caeb1f2b6c2b/userdata/shm`: >> Permission denied: OCI permission denied >> >> Quite a few "OCI permission" around the net but none relating to >> that above I could find. >> What might be a solution for the issue? >> many thanks, L. >> _______________________________________________ >> Podman mailing list -- podman(a)lists.podman.io >> To unsubscribe send an email to podman-leave(a)lists.podman.io > > You uid map needs to be a subsection of the UIDs available within the > container.  Also depending on the container technology used to launch > the container, you could get permission denied from SELinux, > SECCPOMP, Dropped capabilities ... Does not seem like SELinux(I'll investigate for silent). I also make container 'privileged'. This is all as root and in terms of UIDs in the image - those look pretty "standard": all are =< 100 except for: nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin nogroup:x:65534: Image itself is an Alpine with: UID_MIN             1000 UID_MAX            60000 and host's: -> $ cat /etc/subuid podmanic:100000:65536 podmanic:200000:65536 podmanic:300000:65536 containers:400000:65536 cmd's relevant bits: ... run --privileged --uidmap 0:400000:60000 -dt --restart=always --security-opt label=disable --pod

I know nothing about SECCPOMP and will have to research. many thanks, L. > _______________________________________________ > Podman mailing list -- podman(a)lists.podman.io > To unsubscribe send an email to podman-leave(a)lists.podman.io _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io