Cannot Create Pods In Fedora IoT

[j0hann3s]

I tried to create a pod with rootless Podman but I am hitting some permission issue which does not seem to result from SELinux while having it in permissive mode. This is the command executed for creating the pod is:

podman pod create --name local

And this is the error I am getting:

Error: building local pause image: building at STEP "COPY /usr/libexec/podman/catatonit /catatonit": storing "/usr/libexec/podman/catatonit": error during bulk transfer for copier.request{Request:"PUT", Root:"/", preservedRoot:"/var/home/user/.local/share/containers/storage/overlay/e5485744b7f814fbadffbaa4ea13a79b1be32ddccc71c6637debddb0d75ed37a/merged", rootPrefix:"/var/home/user/.local/share/containers/storage/overlay/e5485744b7f814fbadffbaa4ea13a79b1be32ddccc71c6637debddb0d75ed37a/merged", Directory:"/", preservedDirectory:"/var/home/user/.local/share/containers/storage/overlay/e5485744b7f814fbadffbaa4ea13a79b1be32ddccc71c6637debddb0d75ed37a/merged", Globs:[]string{}, preservedGlobs:[]string{}, StatOptions:copier.StatOptions{CheckForArchives:false, Excludes:[]string(nil)}, GetOptions:copier.GetOptions{UIDMap:[]idtools.IDMap(nil), GIDMap:[]idtools.IDMap(nil), Excludes:[]string(nil), ExpandArchives:false, ChownDirs:(*idtools.IDPair)(nil), ChmodDirs:(*fs.FileMode)(nil), ChownFiles:(*idtools.IDPair)(nil), ChmodFiles:(*fs.FileMode)(nil), StripSetuidBit:false, StripSetgidBit:false, StripStickyBit:false, StripXattrs:false, KeepDirectoryNames:false, Rename:map[string]string(nil), NoDerefSymlinks:false, IgnoreUnreadable:false, NoCrossDevice:false}, PutOptions:copier.PutOptions{UIDMap:[]idtools.IDMap{}, GIDMap:[]idtools.IDMap{}, DefaultDirOwner:(*idtools.IDPair)(0xc000221200), DefaultDirMode:(*fs.FileMode)(nil), ChownDirs:(*idtools.IDPair)(nil), ChmodDirs:(*fs.FileMode)(nil), ChownFiles:(*idtools.IDPair)(nil), ChmodFiles:(*fs.FileMode)(nil), StripSetuidBit:false, StripSetgidBit:false, StripStickyBit:false, StripXattrs:false, IgnoreXattrErrors:false, IgnoreDevices:true, NoOverwriteDirNonDir:false, NoOverwriteNonDirDir:false, Rename:map[string]string(nil)}, MkdirOptions:copier.MkdirOptions{UIDMap:[]idtools.IDMap(nil), GIDMap:[]idtools.IDMap(nil), ChownNew:(*idtools.IDPair)(nil), ChmodNew:(*fs.FileMode)(nil)}, RemoveOptions:copier.RemoveOptions{All:false}}: copier: put: error setting extended attributes on "/catatonit": setting value of extended attribute "security.ima" on "/catatonit": operation not permitted

This discussion #22743 mentions something similar for Fedora IoT.
Podman version: 5.0.3
Fedora IoT version: 40.20240520.0 (2024-05-20T13:30:56Z)

Does anybody have a similar problem?

EDIT:

I found something related (#18543 ) where a temporary fix is:

If you don't need IMA, remove the rpm-plugin-ima package and reinstall podman.
Alternatively, build the pause container as root, save it and load it as the target user.

However, I do not have the rpm-plugin-ima package installed to begin with and the second alternative is nothing I have ever heard of or done. Could someone give me some pseudocode pointing to how this would look like? Transporting paused containers from the sound of it?

From the looks of it, no one using Fedora IoT (and other rpm-ostree based systems like Silverblue) can create pods with rootless containers.

[edsantiago]

Looks like your filesystem doesn't have extended attribute support enabled. Can you try:

$ touch /var/home/user/myfile
$ setfattr -n user.foo -v bar /var/home/user/myfile

[j0hann3s]

The commands you suggested are working for me. I got btrfs as root filesystem. Executing
getfattr /var/home/user/myfile
results in:

getfattr: Removing leading '/' from absolute path names
# file: var/home/user/myfile
user.foo

[rhatdan]

Rootful or rootless?

Do any podman commands work?

podman run fedora echo hi

[j0hann3s]

Rootful works, but rootless fails. Everything else works. The podman command works as expected.

[Luap99]

Looks like IMA attributes have been added to fedora IoT, I would suggest you ask over there what is adding them and if there is a way to remove them from catatonit

Anyhow podman should likely not refuse to work in such a case, I consider this being tracked in #18543

[j0hann3s]

Gotcha! Your comment in #18543 worked in the mean time. For anybody looking at this, this is what helped: #18543 (comment)

[spider-one]

Just for reference this was reported a few weeks ago on Red Hat Bugzilla for Fedora IoT.

https://bugzilla.redhat.com/show_bug.cgi?id=2277581