can't start nginx image with runc and user namespaces (works with crun)

### Description

Trying to start a Kubernetes container with userns using the nginx official image, fails. This was reported here: https://github.com/containerd/containerd/issues/10598 by @ctrox.

@ctrox also found a workaround: add "tty: true" to the kubernetes pod makes it work. 

And a simpler repro:  just a container with userns that runs "cat /dev/stderr" also fails with permission denied.

I _guess_ you need to run detached (as containerd does) to hit this, otherwise it uses your shell and that probably works.

@ctrox thanks for the great bug report!

Sorry the brevity, I'm sick ATM. I'll add more info when I recover

### Steps to reproduce the issue

_No response_

### Describe the results you received and expected

Works, as without user namespaces.

### What version of runc are you using?

runc 1.2.0

### Host OS information

_No response_

### Host kernel information

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

can't start nginx image with runc and user namespaces (works with crun) #4475

Description

Steps to reproduce the issue

Describe the results you received and expected

What version of runc are you using?

Host OS information

Host kernel information

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

can't start nginx image with runc and user namespaces (works with crun) #4475

Description

Description

Steps to reproduce the issue

Describe the results you received and expected

What version of runc are you using?

Host OS information

Host kernel information

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions