Rootless podman built using rootless podman is unable to run containers

[BhawaniSingh]

Issue Description

We have 3 different podman images:

1. Rootful podman image (lets say v1)
2. Rootless podman image (lets say v2) : its built by rootful podman (v1) image
3. Rootless podman image (lets say v3): its build by rootless podman (v2) image

output of capsh --print
for v2:

Current: =i
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Ambient set =
Current IAB: cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)

for v3:

Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Ambient set =
Current IAB: cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)

storage.conf

# This file is is the configuration file for all tools
# that use the containers/storage library. The storage.conf file
# overrides all other storage.conf files. Container engines using the
# container/storage library do not inherit fields from other storage.conf
# files.
#
#  Note: The storage.conf file overrides other storage.conf files based on this precedence:
#      /usr/containers/storage.conf
#      /etc/containers/storage.conf
#      $HOME/.config/containers/storage.conf
#      $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set)
# See man 5 containers-storage.conf for more information
# The "container storage" table contains all of the server options.
[storage]

# Default Storage Driver, Must be set for proper operation.
driver = "overlay"

# Temporary storage location
runroot = "/run/containers/storage"

# Primary Read/Write location of container storage
# When changing the graphroot location on an SELINUX system, you must
# ensure  the labeling matches the default locations labels with the
# following commands:
# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH
# restorecon -R -v /NEWSTORAGEPATH
graphroot = "/var/lib/containers/storage"


# Storage path for rootless users
#
# rootless_storage_path = "$HOME/.local/share/containers/storage"

[storage.options]
# Storage options to be passed to underlying storage drivers

# AdditionalImageStores is used to pass paths to additional Read/Only image stores
# Must be comma separated list.
additionalimagestores = [
"/var/lib/shared"
]

# Allows specification of how storage is populated when pulling images. This
# option can speed the pulling process of images compressed with format
# zstd:chunked. Containers/storage looks for files within images that are being
# pulled from a container registry that were previously pulled to the host.  It
# can copy or create a hard link to the existing file when it finds them,
# eliminating the need to pull them from the container registry. These options
# can deduplicate pulling of content, disk storage of content and can allow the
# kernel to use less memory when running containers.

# containers/storage supports four keys
#   * enable_partial_images="true" | "false"
#     Tells containers/storage to look for files previously pulled in storage
#     rather then always pulling them from the container registry.
#   * use_hard_links = "false" | "true"
#     Tells containers/storage to use hard links rather then create new files in
#     the image, if an identical file already existed in storage.
#   * ostree_repos = ""
#     Tells containers/storage where an ostree repository exists that might have
#     previously pulled content which can be used when attempting to avoid
#     pulling content from the container registry
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}

# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
# a container, to the UIDs/GIDs as they should appear outside of the container,
# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
# listed and will be heeded by libraries, but there are limits to the number of
# mappings which the kernel will allow when you later attempt to run a
# container.
#
# remap-uids = "0:1:999"
# remap-gids = "0:1001:64535"

# Remap-User/Group is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
# with an in-container ID of 0 and then a host-level ID taken from the lowest
# range that matches the specified name, and using the length of that range.
# Additional ranges are then assigned, using the ranges which specify the
# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
# until all of the entries have been used for maps.
#
# remap-user = "containers"
# remap-group = "containers"

# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
# to containers configured to create automatically a user namespace.  Containers
# configured to automatically create a user namespace can still overlap with containers
# having an explicit mapping set.
# This setting is ignored when running as rootless.
# root-auto-userns-user = "storage"
#
# Auto-userns-min-size is the minimum size for a user namespace created automatically.
# auto-userns-min-size=1024
#
# Auto-userns-max-size is the minimum size for a user namespace created automatically.
# auto-userns-max-size=65536

[storage.options.overlay]
# ignore_chown_errors can be set to allow a non privileged user running with
# a single UID within a user namespace to run containers. The user can pull
# and use any image even those with multiple uids.  Note multiple UIDs will be
# squashed down to the default uid in the container.  These images will have no
# separation between the users in the container. Only supported for the overlay
# and vfs drivers.
#ignore_chown_errors = "false"

# Inodes is used to set a maximum inodes of the container image.
# inodes = ""

# Path to an helper program to use for mounting the file system instead of mounting it
# directly.
mount_program = "/usr/bin/fuse-overlayfs"

# mountopt specifies comma separated list of extra mount options
mountopt = "nodev,fsync=0"

# Set to skip a PRIVATE bind mount on the storage home directory.
# skip_mount_home = "false"

# Size is used to set a maximum size of the container image.
# size = ""

# ForceMask specifies the permissions mask that is used for new files and
# directories.
#
# The values "shared" and "private" are accepted.
# Octal permission masks are also accepted.
#
#  "": No value specified.
#     All files/directories, get set with the permissions identified within the
#     image.
#  "private": it is equivalent to 0700.
#     All files/directories get set with 0700 permissions.  The owner has rwx
#     access to the files. No other users on the system can access the files.
#     This setting could be used with networked based homedirs.
#  "shared": it is equivalent to 0755.
#     The owner has rwx access to the files and everyone else can read, access
#     and execute them. This setting is useful for sharing containers storage
#     with other users.  For instance have a storage owned by root but shared
#     to rootless users as an additional store.
#     NOTE:  All files within the image are made readable and executable by any
#     user on the system. Even /etc/shadow within your image is now readable by
#     any user.
#
#   OCTAL: Users can experiment with other OCTAL Permissions.
#
#  Note: The force_mask Flag is an experimental feature, it could change in the
#  future.  When "force_mask" is set the original permission mask is stored in
#  the "user.containers.override_stat" xattr and the "mount_program" option must
#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
#  extended attribute permissions to processes within containers rather than the
#  "force_mask"  permissions.
#
# force_mask = ""

[storage.options.thinpool]
# Storage Options for thinpool

# autoextend_percent determines the amount by which pool needs to be
# grown. This is specified in terms of % of pool size. So a value of 20 means
# that when threshold is hit, pool will be grown by 20% of existing
# pool size.
# autoextend_percent = "20"

# autoextend_threshold determines the pool extension threshold in terms
# of percentage of pool size. For example, if threshold is 60, that means when
# pool is 60% full, threshold has been hit.
# autoextend_threshold = "80"

# basesize specifies the size to use when creating the base device, which
# limits the size of images and containers.
# basesize = "10G"

# blocksize specifies a custom blocksize to use for the thin pool.
# blocksize="64k"

# directlvm_device specifies a custom block storage device to use for the
# thin pool. Required if you setup devicemapper.
# directlvm_device = ""

# directlvm_device_force wipes device even if device already has a filesystem.
# directlvm_device_force = "True"

# fs specifies the filesystem type to use for the base device.
# fs="xfs"

# log_level sets the log level of devicemapper.
# 0: LogLevelSuppress 0 (Default)
# 2: LogLevelFatal
# 3: LogLevelErr
# 4: LogLevelWarn
# 5: LogLevelNotice
# 6: LogLevelInfo
# 7: LogLevelDebug
# log_level = "7"

# min_free_space specifies the min free space percent in a thin pool require for
# new device creation to succeed. Valid values are from 0% - 99%.
# Value 0% disables
# min_free_space = "10%"

# mkfsarg specifies extra mkfs arguments to be used when creating the base
# device.
# mkfsarg = ""

# metadata_size is used to set the `pvcreate --metadatasize` options when
# creating thin devices. Default is 128k
# metadata_size = ""

# Size is used to set a maximum size of the container image.
# size = ""

# use_deferred_removal marks devicemapper block device for deferred removal.
# If the thinpool is in use when the driver attempts to remove it, the driver
# tells the kernel to remove it as soon as possible. Note this does not free
# up the disk space, use deferred deletion to fully remove the thinpool.
# use_deferred_removal = "True"

# use_deferred_deletion marks thinpool device for deferred deletion.
# If the device is busy when the driver attempts to delete it, the driver
# will attempt to delete device every 30 seconds until successful.
# If the program using the driver exits, the driver will continue attempting
# to cleanup the next time the driver is used. Deferred deletion permanently
# deletes the device and all data stored in device will be lost.
# use_deferred_deletion = "True"

# xfs_nospace_max_retries specifies the maximum number of retries XFS should
# attempt to complete IO when ENOSPC (no space) error is returned by
# underlying storage device.
# xfs_nospace_max_retries = "0"

Steps to reproduce the issue

Steps to reproduce the issue

1. Built attach dockerfile using rootless podman
2. Use that (image from step 1) image to build the podman image again
3. Now using the container built by stage 2 image, try to run any docker image

Dockerfile

FROM alpine:3.17

RUN apk update && \
    apk add shadow bash doas slirp4netns fuse-overlayfs openrc iptables openssh-client podman podman-remote curl jq curl git unzip groff openssh libcap && \
    rm -rf /var/cache/apk/*
ENV USER=jenkins


RUN useradd $USER -u 1300; \
	echo -e "$USER:1:1299\n$USER:1301:64235" > /etc/subuid; \
	echo -e "$USER:1:1299\n$USER:1301:64235" > /etc/subgid; \
    echo "rc_cgroup_mode=\"unified\"" >> /etc/rc.conf

ADD conf/containers /etc/containers
RUN mkdir -p /home/$USER/.local/share/containers && \
    chown $USER:$USER -R /home/$USER && \
    chmod 644 /etc/containers/containers.conf

RUN mkdir -p /var/lib/shared/overlay-images \
             /var/lib/shared/overlay-layers \
             /var/lib/shared/vfs-images \
             /var/lib/shared/vfs-layers && \
    touch /var/lib/shared/overlay-images/images.lock && \
    touch /var/lib/shared/overlay-layers/layers.lock && \
    touch /var/lib/shared/vfs-images/images.lock && \
    touch /var/lib/shared/vfs-layers/layers.lock

ENV _CONTAINERS_USERNS_CONFIGURED=""

Describe the results you received

Container \"1eebaf4498d93faf7d3a77fdaf7539723bcb525c7087b7687d02377cb4c907a8\" has run directory \"/tmp/podman-run-1300/containers/overlay-containers/1eebaf4498d93faf7d3a77fdaf7539723bcb525c7087b7687d02377cb4c907a8/userdata\""
Error: chown /tmp/podman-run-1300/containers/overlay-containers/1eebaf4498d93faf7d3a77fdaf7539723bcb525c7087b7687d02377cb4c907a8/userdata: operation not permitted

Describe the results you expected

Podman (rootless podman image built using rootless podman) should be able to run the container

podman info output

host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.1.7-r0
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: unknown'
  cpuUtilization:
    idlePercent: 88.35
    systemPercent: 2.08
    userPercent: 9.57
  cpus: 8
  distribution:
    distribution: alpine
    version: 3.17.3
  eventLogger: file
  hostname: maven-23109924240695-build-pod
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1300
      size: 1
    - container_id: 1
      host_id: 1
      size: 1299
    - container_id: 1300
      host_id: 1301
      size: 64235
    uidmap:
    - container_id: 0
      host_id: 1300
      size: 1
    - container_id: 1
      host_id: 1
      size: 1299
    - container_id: 1300
      host_id: 1301
      size: 64235
  kernel: 5.4.228-131.415.amzn2.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 14016282624
  memTotal: 33185656832
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.7.2-r0
    path: /usr/bin/crun
    version: |-
      crun version 1.7.2
      commit: 0356bf4aff9a133d655dc13b1d9ac9424706cac4
      rundir: /tmp/podman-run-1300/crun
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-1300/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-r0
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 1532h 14m 37.00s (Approximately 63.83 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /home/jenkins/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 31526391808
  graphRootUsed: 2125824
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /tmp/podman-run-1300/containers
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 1681198015
  BuiltTime: Tue Apr 11 07:26:55 2023
  GitCommit: ""
  GoVersion: go1.19.8
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Podman in a container

Yes

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Its running on kubenetes

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[BhawaniSingh]

For context:
We have 3 different podman images:

1. Rootful podman image (lets say v1)
2. Rootless podman image (lets say v2) : its built by rootful podman (v1) image
3. Rootless podman image (lets say v3): its build by rootless podman (v2) image

I think the file permissions are wrong
When I run podman in v2 image, Folder permissions are as follows:

drwx------ 3 jenkins jenkins 24 Apr 21 06:29 containers-user-1300
drwx------ 5 jenkins jenkins 50 Apr 21 06:29 podman-run-1300
drwx------ 2 jenkins jenkins 22 Apr 21 06:29 ssh-XXXXXXaFPdCL

When I run podman in v3 image, folder permissions are as follows:

drwx--S--- 3 jenkins root 24 Apr 21 06:27 containers-user-1300
drwx--S--- 5 jenkins root 50 Apr 21 06:27 podman-run-1300
drwx--S--- 2 jenkins root 22 Apr 21 06:27 ssh-XXXXXXKBpPnP

[rhatdan]

From the podman info above it looks like you are trying to run rootless container on a rootful congainers/storage?

graphRoot: /var/lib/containers/storage

This should be something like:

/home/jenkins/.local/share/containers/storage

[BhawaniSingh]

@rhatdan /var/lib/containers/storage is owned by Jenkins user

[BhawaniSingh]

I ran podman with the strace -v

For problematic rootless podman, st_gid is set to 0 which is root and st_mode has flag S_ISGID

newfstatat(AT_FDCWD, "/tmp/podman-run-1300", {st_dev=makedev(0, 0x13d), st_ino=815330, st_mode=S_IFDIR|S_ISGID|0700, st_nlink=5, st_uid=1300, st_gid=0, st_blksize=4096, st_blocks=0, st_size=50, st_atime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_atime_nsec=596145767, st_mtime=1682070141 /* 2023-04-21T09:42:21.496161571+0000 */, st_mtime_nsec=496161571, st_ctime=1682070141 /* 2023-04-21T09:42:21.496161571+0000 */, st_ctime_nsec=496161571}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/tmp/podman-run-1300/containers", {st_dev=makedev(0, 0x13d), st_ino=4283516, st_mode=S_IFDIR|S_ISGID|0700, st_nlink=7, st_uid=1300, st_gid=0, st_blksize=4096, st_blocks=0, st_size=123, st_atime=1682070140 /* 2023-04-21T09:42:20.600145837+0000 */, st_atime_nsec=600145837, st_mtime=1682070141 /* 2023-04-21T09:42:21.392159745+0000 */, st_mtime_nsec=392159745, st_ctime=1682070141 /* 2023-04-21T09:42:21.392159745+0000 */, st_ctime_nsec=392159745}, 0) = 0


newfstatat(AT_FDCWD, "/tmp/podman-run-1300", {st_dev=makedev(0, 0x13d), st_ino=815330, st_mode=S_IFDIR|S_ISGID|0700, st_nlink=5, st_uid=1300, st_gid=0, st_blksize=4096, st_blocks=0, st_size=50, st_atime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_atime_nsec=596145767, st_mtime=1682070141 /* 2023-04-21T09:42:21.496161571+0000 */, st_mtime_nsec=496161571, st_ctime=1682070141 /* 2023-04-21T09:42:21.496161571+0000 */, st_ctime_nsec=496161571}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/tmp/podman-run-1300/containers", {st_dev=makedev(0, 0x13d), st_ino=4283516, st_mode=S_IFDIR|S_ISGID|0700, st_nlink=7, st_uid=1300, st_gid=0, st_blksize=4096, st_blocks=0, st_size=123, st_atime=1682070140 /* 2023-04-21T09:42:20.600145837+0000 */, st_atime_nsec=600145837, st_mtime=1682070141 /* 2023-04-21T09:42:21.392159745+0000 */, st_mtime_nsec=392159745, st_ctime=1682070141 /* 2023-04-21T09:42:21.392159745+0000 */, st_ctime_nsec=392159745}, AT_SYMLINK_NOFOLLOW) = 0


newfstatat(AT_FDCWD, "/tmp/containers-user-1300", {st_dev=makedev(0, 0x13d), st_ino=2633820, st_mode=S_IFDIR|S_ISGID|0700, st_nlink=3, st_uid=1300, st_gid=0, st_blksize=4096, st_blocks=0, st_size=24, st_atime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_atime_nsec=596145767, st_mtime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_mtime_nsec=596145767, st_ctime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_ctime_nsec=596145767}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/tmp/containers-user-1300", {st_dev=makedev(0, 0x13d), st_ino=2633820, st_mode=S_IFDIR|S_ISGID|0700, st_nlink=3, st_uid=1300, st_gid=0, st_blksize=4096, st_blocks=0, st_size=24, st_atime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_atime_nsec=596145767, st_mtime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_mtime_nsec=596145767, st_ctime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_ctime_nsec=596145767}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/tmp/containers-user-1300/containers", {st_dev=makedev(0, 0x13d), st_ino=3456183, st_mode=S_IFDIR|S_ISGID|0700, st_nlink=2, st_uid=1300, st_gid=0, st_blksize=4096, st_blocks=0, st_size=6, st_atime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_atime_nsec=596145767, st_mtime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_mtime_nsec=596145767, st_ctime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_ctime_nsec=596145767}, 0) = 0

ewfstatat(AT_FDCWD, "/tmp/containers-user-1300", {st_dev=makedev(0, 0x13d), st_ino=2633820, st_mode=S_IFDIR|S_ISGID|0700, st_nlink=3, st_uid=1300, st_gid=0, st_blksize=4096, st_blocks=0, st_size=24, st_atime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_atime_nsec=596145767, st_mtime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_mtime_nsec=596145767, st_ctime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_ctime_nsec=596145767}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/tmp/containers-user-1300/containers", {st_dev=makedev(0, 0x13d), st_ino=3456183, st_mode=S_IFDIR|S_ISGID|0700, st_nlink=2, st_uid=1300, st_gid=0, st_blksize=4096, st_blocks=0, st_size=6, st_atime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_atime_nsec=596145767, st_mtime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_mtime_nsec=596145767, st_ctime=1682070140 /* 2023-04-21T09:42:20.596145767+0000 */, st_ctime_nsec=596145767}, AT_SYMLINK_NOFOLLOW) = 0

Whereas for working rootless podman, correct value for st_gid is being passed

newfstatat(AT_FDCWD, "/tmp/podman-run-1300", {st_dev=makedev(0, 0x1f0), st_ino=71324018, st_mode=S_IFDIR|0700, st_nlink=5, st_uid=1300, st_gid=1300, st_blksize=4096, st_blocks=0, st_size=50, st_atime=1682070301 /* 2023-04-21T09:45:01.710972927+0000 */, st_atime_nsec=710972927, st_mtime=1682070302 /* 2023-04-21T09:45:02.514987032+0000 */, st_mtime_nsec=514987032, st_ctime=1682070302 /* 2023-04-21T09:45:02.514987032+0000 */, st_ctime_nsec=514987032}, 0) = 0
newfstatat(AT_FDCWD, "/tmp/podman-run-1300", {st_dev=makedev(0, 0x1f0), st_ino=71324018, st_mode=S_IFDIR|0700, st_nlink=5, st_uid=1300, st_gid=1300, st_blksize=4096, st_blocks=0, st_size=50, st_atime=1682070301 /* 2023-04-21T09:45:01.710972927+0000 */, st_atime_nsec=710972927, st_mtime=1682070302 /* 2023-04-21T09:45:02.514987032+0000 */, st_mtime_nsec=514987032, st_ctime=1682070302 /* 2023-04-21T09:45:02.514987032+0000 */, st_ctime_nsec=514987032}, 0) = 0


newfstatat(AT_FDCWD, "/tmp/containers-user-1300", {st_dev=makedev(0, 0x1f0), st_ino=73451792, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=1300, st_gid=1300, st_blksize=4096, st_blocks=0, st_size=24, st_atime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_atime_nsec=714972998, st_mtime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_mtime_nsec=714972998, st_ctime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_ctime_nsec=714972998}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/tmp/containers-user-1300", {st_dev=makedev(0, 0x1f0), st_ino=73451792, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=1300, st_gid=1300, st_blksize=4096, st_blocks=0, st_size=24, st_atime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_atime_nsec=714972998, st_mtime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_mtime_nsec=714972998, st_ctime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_ctime_nsec=714972998}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/tmp/containers-user-1300/containers", {st_dev=makedev(0, 0x1f0), st_ino=74464628, st_mode=S_IFDIR|0700, st_nlink=2, st_uid=1300, st_gid=1300, st_blksize=4096, st_blocks=0, st_size=6, st_atime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_atime_nsec=714972998, st_mtime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_mtime_nsec=714972998, st_ctime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_ctime_nsec=714972998}, 0) = 0


newfstatat(AT_FDCWD, "/tmp/containers-user-1300", {st_dev=makedev(0, 0x1f0), st_ino=73451792, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=1300, st_gid=1300, st_blksize=4096, st_blocks=0, st_size=24, st_atime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_atime_nsec=714972998, st_mtime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_mtime_nsec=714972998, st_ctime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_ctime_nsec=714972998}, AT_SYMLINK_NOFOLLOW) = 0
newfstatat(AT_FDCWD, "/tmp/containers-user-1300/containers", {st_dev=makedev(0, 0x1f0), st_ino=74464628, st_mode=S_IFDIR|0700, st_nlink=2, st_uid=1300, st_gid=1300, st_blksize=4096, st_blocks=0, st_size=6, st_atime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_atime_nsec=714972998, st_mtime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_mtime_nsec=714972998, st_ctime=1682070301 /* 2023-04-21T09:45:01.714972998+0000 */, st_ctime_nsec=714972998}, AT_SYMLINK_NOFOLLOW) = 0

[rhatdan]

Root is not mapped to within the user namespace, which is probably causing the issue. This definitely does not look like a bug in Podman, since you have a funky setup so I am moving this to a discussion.

[BhawaniSingh]

Root is not mapped to within the user namespace, which is probably causing the issue
How can I be test that root is mapped properly?