podman run --user option seems not to work?

[andrasi]

Hello!

I've built podman & all its dependencies (e.g. crun, slirp4netns, etc.) for an embedded project I have and compared to any other traditional installation (e.g. Fedora, Ubuntu), when using podman run --user someuid:somegid ... the process running inside the container still shows up as owned by the host user (unprivileged) which started the container.

e.g.:

Fedora, expected behavior

My project:

I would've expected to see the UID change to that which was specified (of course, subuid+offset) as it happens in Fedora/Ubuntu.

I am still digging around to understand what is different in my setup compared to a traditional distro installation.

Do you have any ideas?

Thank you!

[rhatdan]

rootless Podman is entering a user namespace before configuring and launching the container.

Your App must be setuid to launch or process with a separate UID,without using the user namespace.

[andrasi]

Hello Daniel,

Thank you for your answer.

I've already set the /etc/subuid and /etc/subgid for that appl user.

both subuid and subgid (there's also a group with the same name as the user) files have an entry:
appl:100000:65536

Regarding rootless. I've just noticed if I do podman info it shows under security rootless: false.
I don't know exactly where this came from or how to explicitly set it to true. I've compared the containers.conf for both a Fedora and my installation and they look the same.

What am I missing?

Thank you.

[rhatdan]

Could you do
$ podman system migrate
$ podman unshare cat /proc/self/uid_map

[andrasi]

Hello Daniel,

I executed those 2 commands and now podman info shows rootless:true.
For the unshare command I get the following:

0 20000 1 1 100000 65536
Where 20000 is the UID of my host user.

Still, if I spawn a busybox container and run it with -u someid, the process running inside (sleep in this case) still shows on host as running under my appl host user.

What else should I check?

Thank you!

[rhatdan]

$ podman run -d --name test --user 100 fedora sleep 1000
Resolved "fedora" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.fedoraproject.org/fedora:latest...
Getting image source signatures
Copying blob 62946078034b done  
Copying config 2ecb6df959 done  
Writing manifest to image destination
Storing signatures
017fac3c9b974ca6a4ee183708beccaaeec44e21a814d364d05ffb8d8bb2fdfd
$ podman top test user huser
USER        HUSER
100         100099
$ podman unshare cat /proc/self/uid_map 
         0       3267          1
         1     100000      65536

[rhatdan]

What do you see?

[andrasi]

Hello Daniel, Giuseppe,

[appl@armbox ~]$ podman run --rm --name test --user 100 localhost/arm64v8/fedora:36 id
uid=0(root) gid=0(root) groups=0(root)

To answer Giuseppes question:

The only change in containers.conf between my setup and Fedora 36 is the following:

env = [
    "XDG_RUNTIME_DIR=/opt/containers/storage/${USER}"
]

If it matters, regarding compiler flags used:

For crun I've used:
--enable-embedded-yajl --disable-caps --disable-systemd

For podman:

BUILDTAGS_CROSS="containers_image_openpgp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper exclude_graphdriver_overlay seccomp"

One remark:

If I replace the engine from crun to runc I get the desired behavior like on Fedora.
Still, I need to use crun in order to benefit of having configurable resource limits for rootless containers (e.g. mem, cpu, etc.).

What else can I check?

Thank you both!

[giuseppe]

I think that could be caused by --disable-caps

[giuseppe]

could you try to apply the following patch to crun:

diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
index deb20a8..6ae81ce 100644
--- a/src/libcrun/linux.c
+++ b/src/libcrun/linux.c
@@ -2975,6 +2975,15 @@ set_required_caps (struct all_caps_s *caps, uid_t uid, gid_t gid, int no_new_pri
           return crun_make_error (err, errno, "prctl ambient raise");
       }
 #  endif
+
+#else
+  ret = setresgid (gid, gid, gid);
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, errno, "cannot setresgid to %d", gid);
+
+  ret = setresuid (uid, uid, uid);
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, errno, "cannot setresuid to %d", uid);
 #endif
 
   if (no_new_privs)

[andrasi]

Grazie Giuseppe,

I'll try it and come back with feedback.

[andrasi]

Hello Daniel @rhatdan , Giuseppe @giuseppe ,

The problem was from having crun built without cap support (--disable-caps).
Now the -u works as on Fedora/intended.

Thank you both for the help!

Wish you a nice day and (soon) weekend!