Rootless podman in container fails to run

[jam49]

Issue Description

Running podman without the --privileged in a debian container fails with

jenkins@jc76d85739923:/tmp$ podman version
ERRO[0000] running `/usr/bin/newuidmap 74 0 1000 1 1 1 999 1000 1001 64535`: newuidmap: write to uid_map failed: Operation not permitted 

works fine with the --privileged flag

Steps to reproduce the issue

1. create a debian container, in this case use the jenkins:lts

FROM jenkins/jenkins:lts-jdk11
USER root
RUN apt-get update && \
    apt-get install -y -q curl gnupg2 wget tar ldap-utils uuid-runtime uidmap libseccomp-dev 
#... more stuff
RUN apt-get install -y iptables && \ 
    apt-get -qq -y install podman
#...more stuff
 USER jenkins
EXPOSE 8443
ENTRYPOINT ["./run.sh"]

3. build and run the container : with

podman exec  -it <name> /bin/bash

4. inside the container run podman :

podman version
ERRO[0000] running `/usr/bin/newuidmap 74 0 1000 1 1 1 999 1000 1001 64535`: newuidmap: write to uid_map failed: Operation not permitted 

Describe the results you received

I tried all the 'hacks' in the various other issues and no change.
eg added to dockerfile

    echo "jenkins:1:999\njenkins:1001:64535" >/etc/subuid; \ 
    echo "jenkins:1:999\njenkins:1001:64535" >/etc/subgid; \
    chmod 4755 /usr/bin/newgidmap; \
    chmod 4755 /usr/bin/newuidmap; 

same result

Describe the results you expected

Expect it to run.

Works with the --privileged flag passed in.
Note that neither of this commands will work without the above flag.

 podman version
Client:       Podman Engine
Version:      4.3.1
API Version:  4.3.1
Go Version:   go1.19.8
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64

podman info output

podman version
Client:       Podman Engine
Version:      4.3.1
API Version:  4.3.1
Go Version:   go1.19.8
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64

podman info
host:
  arch: amd64
  buildahVersion: 1.28.2
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.6+ds1-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.6, commit: unknown'
  cpuUtilization:
    idlePercent: 86.29
    systemPercent: 5.45
    userPercent: 8.26
  cpus: 1
  distribution:
    codename: bookworm
    distribution: debian
    version: "12"
  eventLogger: file
  hostname: c76d85739923
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 1
      size: 999
    - container_id: 1000
      host_id: 1001
      size: 64535
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 1
      size: 999
    - container_id: 1000
      host_id: 1001
      size: 64535
  kernel: 6.4.12-200.fc38.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 134582272
  memTotal: 2048716800
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun_1.8.1-1+b1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.1
      commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
      rundir: /tmp/podman-run-1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.0-1_amd64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 3h 23m 21.00s (Approximately 0.12 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries: {}
store:
  configFile: /var/jenkins_home/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /var/jenkins_home/.local/share/containers/storage
  graphRootAllocated: 106769133568
  graphRootUsed: 50960347136
  graphStatus: {}
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /tmp/podman-run-1000/containers
  volumePath: /var/jenkins_home/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.19.8
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

Podman in a container

Yes

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

jenkins@c76d85739923:/$ whoami
jenkins
jenkins@c76d85739923:/$ cat /etc/subuid
jenkins:1:999
jenkins:1001:64535
jenkins@c76d85739923:/$ cat /etc/subgid
jenkins:1:999
jenkins:1001:64535
jenkins@c76d85739923:/$

[rhatdan]

Try with --privileged=false --security-opt seccomp=unconfined
If it still fails try
--privileged=false --cap-add=all

[jam49]

the second command worked (--privileged=false --cap-add=all) the first did not.

[jam49]

can that be passed to the docker via a helm chart? or is it a k8 system thing?

[rhatdan]

That means it is not a seccomp issue but a capability issue.
Try with --privileged=false --cap-add=sys_admin

[rhatdan]

can that be passed to the docker via a helm chart? or is it a k8 system thing?
Hopefully you mean Podman, and I don't know helm charts, it can be passed via k8s.

[HorlogeSkynet]

(Hi, same issue over here with Debian rootfs 👋)

That means it is not a seccomp issue but a capability issue. Try with --privileged=false --cap-add=sys_admin

Indeed, CAP_SYS_ADMIN "solves" this issue.
Another interesting workaround is to prefer CAP_SETUID/CAP_SETGID on newuidmap/newgidmap binaries, instead of setuid flag (as official Fedora-based Podman image does) :

FROM debian:bookworm

# ...

RUN apt-get install -y libcap2-bin && \
    chmod 0755 /usr/bin/newuidmap /usr/bin/newgidmap && \
    setcap cap_setuid=ep /usr/bin/newuidmap && \
    setcap cap_setgid=ep /usr/bin/newgidmap && \
    apt-get autoremove --purge -y libcap2-bin

@rhatdan What do you think about this ? I can't manage to understand why rootless runtime fails to inherit "privileges" through setuid flags (--security-opt=no-new-privileges is not being enforced here).

[rhatdan]

SGTM and much better then using CAP_SYSADMIN.

[HorlogeSkynet]

Do you want us to provide further information to try to narrow this inconsistency down ?

[HorlogeSkynet]

So I've dug this issue down and written a blog post about it : https://samuel.forestier.app/blog/security/podman-rootless-in-podman-rootless-the-debian-way

TL; DR : It's a Debian issue related to compilation/packaging of shadow/uidmap and the workaround above applies accordingly.

Bye 👋

[jam49]

thx!

[jam49]

with

 setcap cap_setuid=ep /usr/bin/newuidmap && \
 setcap cap_setgid=ep /usr/bin/newgidmap && \

podman version with spit a chown error on the storage of the container.

Error: chown /var/jenkins_home/.local/share/containers/storage/vfs: operation not permitted

While stuffing podman into the jenkins:lts docker may seem weird, I see it as a common use case:
having a jenkins pipeline build with podman, rather then docker (which is obsolete/ depreciated on k8).

[rhatdan]

Are you running the podman within a container running as user podman, using the podman stable image? Or building your image that contains podman like the podman stable image.

https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile

[jam49]

as indicated above i am putting it into a jenkins container docker

[jam49]

I am alos getting this issue

Error: creating runtime static files directory: mkdir /var/lib/containers: read-only file system

which makes sense as the root of the docker is readonly
any way to move this directory location?

[rhatdan]

--root option on Podman will change the location, you can also do this in storage.conf