Building a debian based podman-in-podman image

[flixman]

I am running on debian bullseye podman, and all works flawlessly. I want to use a gitea runner, for which I'd like to build a debian based image that allows me to run podman. To this end, I have the following Dockerfile:

FROM node:20-bullseye-slim as base
RUN apt update && \
    apt -y install git curl \
                   containers-storage fuse-overlayfs libvshadow-utils podman && \
    apt -y clean && rm -rf /var/lib/apt/lists/*

RUN useradd -m podman && \
    mkdir -p /home/podman/.config/containers /home/podman/.local/share/containers && \
    curl -s https://raw.githubusercontent.com/containers/image_build/main/podman/podman-containers.conf --output /home/podman/.config/containers/containers.conf && \
    chown podman:podman -R /home/podman && \
    curl -s https://raw.githubusercontent.com/containers/image_build/main/podman/containers.conf --output /etc/containers/containers.conf && \
    chmod 644 /etc/containers/containers.conf

RUN sed -e 's|^#mount_program|mount_program|g' \
        -e '/additionalimage.*/a "/var/lib/shared",' \
        -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
        -e 's|driver = ""|driver = "overlay"|' \
        /usr/share/containers/storage.conf > /etc/containers/storage.conf

VOLUME /var/lib/containers /home/podman/.local/share/containers

RUN mkdir -p /var/lib/shared/overlay-images \
             /var/lib/shared/overlay-layers \
             /var/lib/shared/vfs-images \
             /var/lib/shared/vfs-layers && \    
    touch /var/lib/shared/overlay-images/images.lock \
          /var/lib/shared/overlay-layers/layers.lock \
          /var/lib/shared/vfs-images/images.lock \
          /var/lib/shared/vfs-layers/layers.lock

ENV _CONTAINERS_USERNS_CONFIGURED=""

Should I build this image and run it with podman run --rm --security-opt label=disable --privileged node:20-bullseye-slimext podman info, all works. However, if I run it without the --privileged, then I get the following error: ``Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted```

I have seen that using the image from quay works, and tested it... but I have not found any that works with debian. Does anybody have any suggestion on what might be wrong?

[0mm-mark]

@flixman see https://samuel.forestier.app/blog/security/podman-rootless-in-podman-rootless-the-debian-way

HTH?