You are not logged in.
So i have an i686 laptop that i use for my experimentations and i'm encountering issues while trying to setup rootless podman using the documentation from the archlinux wiki. I tried superuser some week ago, but no luck with the responses...
I have made sure to setup the subuid/subgid, install crun and switch to cgroupsv2.
Here is what i see when i try to launch a rootless pod as my user atostivint :
# cat /etc/subuid
atostivint:165536:65537
# cat /etc/subgid
atostivint:165536:65537
users:231073:65537
# podman info --log-level debug
INFO[0001] podman filtering at log level debug
DEBU[0001] Called info.PersistentPreRunE(podman info --log-level debug)
DEBU[0001] Reading configuration file "/usr/share/containers/containers.conf"
DEBU[0001] Merged system config "/usr/share/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.22.0 Annotations:[] CgroupNS:private Cgroups:enabled DefaultCapabilities:[CHOWN DAC_OVERRIDE FOWNER FSETID KILL NET_BIND_SERVICE SETFCAP SETGID SETPCAP SETUID SYS_CHROOT] DefaultSysctls:[net.ipv4.ping_group_range=0 0] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableLabeling:false Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{CgroupCheck:false CgroupManager:systemd ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:journald HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand:/pause InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:crun OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/etc/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/atostivint/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/atostivint/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/atostivint/.config/cni/net.d}}
DEBU[0001] Reading configuration file "/etc/containers/containers.conf"
DEBU[0001] Merged system config "/etc/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.22.0 Annotations:[] CgroupNS:private Cgroups:enabled DefaultCapabilities:[CHOWN DAC_OVERRIDE FOWNER FSETID KILL NET_BIND_SERVICE SETFCAP SETGID SETPCAP SETUID SYS_CHROOT] DefaultSysctls:[net.ipv4.ping_group_range=0 0] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableLabeling:false Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{CgroupCheck:false CgroupManager:systemd ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:journald HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand:/pause InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:crun OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/etc/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/atostivint/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/atostivint/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/atostivint/.config/cni/net.d}}
DEBU[0001] Using conmon: "/usr/bin/conmon"
DEBU[0001] Initializing boltdb state at /home/atostivint/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0002] Using graph driver overlay
DEBU[0002] Using graph root /home/atostivint/.local/share/containers/storage
DEBU[0002] Using run root /run/user/1000/containers
DEBU[0002] Using static dir /home/atostivint/.local/share/containers/storage/libpod
DEBU[0002] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0002] Using volume path /home/atostivint/.local/share/containers/storage/volumes
DEBU[0002] Set libpod namespace to ""
DEBU[0002] Not configuring container store
DEBU[0002] Initializing event backend journald
DEBU[0002] using runtime "/usr/bin/crun"
WARN[0002] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument
DEBU[0002] using runtime "/usr/bin/runc"
cannot setresgid: Function not implemented
DEBU[0002] Initialized SHM lock manager at path /libpod_rootless_lock_1000
DEBU[0002] [graphdriver] trying provided driver "overlay"
DEBU[0002] overlay: mount_program=/usr/bin/fuse-overlayfs
Error: chown /home/atostivint/.local/share/containers/storage/overlay/l: operation not permittedI've also set up the sysctl variable kernel.unprivileged_userns_clone=1 from this ticket. Podman as root works without an issue with the same command, download the container image and run it.
I still don't understand why i have the error cannot setresgid: Function not implemented, could it be related to the application not finding the syscall/function in the library ? Is there a way i could get more verbosity ? newuidmap and newuidmap are present on my user cli and i can do the unshare -U command without issues.
Happy to respond with more details/commands runned as i'm really out of ideas on what is going on...
Regards,
Offline
Hmm, we have the man page for setresgid, and it suggests it should be in linux since 2.1.44 which I think predates even my usage of linux on x86. That it's claiming the function isn't implemented it surprising.
Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.
Offline
Yup, i suspect that runc or crun might be poking something in the wrong place, i've seen an update to crun (community/crun 0.18-1.0 (280.2 KiB 1.3 MiB) (Installé : 0.17-1.0)), tried it and no luck : i litteraly have the same log happening
Fyi, even though you guessed, here's my uname :
$ uname -a
Linux 5.9.14-arch1-1.0 #1 SMP PREEMPT Mon, 14 Dec 2020 13:11:39 +0000 i686 GNU/LinuxAnd heres the packages (pacman -Q podman, runc and it's dependencies) :
podman 2.1.1-1.0
crun 0.18-1.0
cni-plugins 0.9.0-5.0
conmon 1:2.0.26-1.0
device-mapper 2.02.187-3.0
iptables 1:1.8.7-1.0
libseccomp 2.4.2-1.3
runc 1.0.0rc93-1.0
slirp4netns 1.1.8-1.0
systemd-libs 245.7-1.0
fuse-overlayfs 1.4.0-1.0
skopeo 1.2.1-1.0
yajl 2.1.0-4.0
systemd-libs 245.7-1.0
libcap 2.48-1.0
libseccomp 2.4.2-1.3Is there something i could try to install via AUR that could help ?
Offline
Ah, you say running it as root works. Have you tried this on 64-bit archlinux as well?
Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.
Offline
Didn't tried on 64-bit archlinux, but let me see if i can achieve the same on armv7
Offline