Bug 1113811 - podman doens't work for non-root users
podman doens't work for non-root users
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Containers
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Containers Team
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-29 19:47 UTC by Spindel Ljungmark
Modified: 2020-08-27 10:20 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Spindel Ljungmark 2018-10-29 19:47:02 UTC
openSUSE kubic  (transactional updates)  and podman fails to work for non-root users.

This seems to be because /etc/containers/libpod.conf isn't a match of /usr/share/containers/libpod.conf and doesn't contain all relevant paths, including a conmon path for /usr/lib/podman/bin/conmon



Steps to reproduce:
1. install podman (and reboot)
2. as non-root user, run `podman info` 


Results:

$ rpm -q podman
podman-0.10.1.1-1.1.x86_64

$ podman info
could not get runtime: could not find a working conmon binary (configured options: [/usr/libexec/podman/conmon /usr/libexec/crio/conmon /usr/local/libexec/crio/conmon /usr/bin/conmon /usr/sbin/conmon /usr/lib/crio/bin/conmon]): invalid argument


$ sudo podman info
host:
  BuildahVersion: 1.5-dev
  Conmon:
    package: podman-0.10.1.1-1.1.x86_64
    path: /usr/lib/podman/bin/conmon
    version: 'conmon version 1.12.0-dev, commit: '
  Distribution:
    distribution: '"opensuse-tumbleweed"'
    version: "20181022"
  MemFree: 3666497536
  MemTotal: 7948431360
  OCIRuntime:
    package: runc-1.0.0~rc5-3.1.x86_64
    path: /usr/sbin/runc
    version: |-
      runc version 1.0.0-rc5
      spec: 1.0.0
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 2
  hostname: spring
  kernel: 4.18.15-1-default
  os: linux
  uptime: 114h 13m 32.55s (Approximately 4.75 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
store:
  ContainerStore:
    number: 14
  GraphDriverName: overlay
  GraphOptions: []
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
  ImageStore:
    number: 7
  RunRoot: /var/run/containers/storage
Comment 1 Spindel Ljungmark 2018-10-29 19:50:21 UTC
when root runs `podman`, it scans /etc/containers/libpod.conf,   but when a normal user does it, it doesn't open _any_ libpod.conf.


Neither seems to open /usr/share... copy either.
Comment 2 Valentin Rothberg 2018-10-30 06:51:43 UTC
Hi Spindel,

thanks for filing the bug!

We're working on making rootless Podman run smoothly in Kubic but there are still some rough edges related to how openSUSE does path resolution; /usr/sbin is only accessible for root and we need to shell out to some binaries under this path. Also we need to create some reasonable defaults for /etc/sub{g,u}id, presumably via the shadowutils package.

The slirp4netns package is already in place to enable rootless networking, but the remaining parts may still take a few weeks until running out-of-box in Tumbleweed and Kubic.
Comment 3 Valentin Rothberg 2018-10-30 10:24:56 UTC
@Thorsten, I need some advice on the packaging side. Rootless podman requires user entries in /etc/sub{u,g}id. `adduser(8)` will add entry for each new user but only when those files are present; it won't create those files. The problem on openSUSE is that no package is adding those files, which in turn leads to not having any entries.

Fedora is adding those files via its `setup` package, but I don't see us having something similar. Hence the question: Which package should add empty /etc/sub{u,g}id files? I was thinking about `shadow` but I'd like to have some advice.
Comment 4 Valentin Rothberg 2018-11-13 07:09:07 UTC
Sorry, I missed sharing progress on this bug here on Bugzilla.

Rootless Podman and rootless Buildah will work shortly in Tumbleweed. There were some details to sort out in the packages (e.g., shadow adding `/etc/sub{g,u}id`).

Notice that it will work out-of-box for new installations and also for new users. For existing user, we still need to *manually* add entries to `/etc/sub{g,u}id` as described in `man podman`. We also took this occasion to improve the error message of Podman in the absence of those files.
Comment 5 Aleksa Sarai 2018-11-13 07:15:25 UTC
(In reply to Valentin Rothberg from comment #4)
> Notice that it will work out-of-box for new installations and also for new
> users. For existing user, we still need to *manually* add entries to
> `/etc/sub{g,u}id` as described in `man podman`. We also took this occasion
> to improve the error message of Podman in the absence of those files.

I just noticed that the man page actually gives you worrying advice (setting the mapping range to start at 10k) -- is this man page from upstream? It should say something more like starting the mapping at 100k or 1m because otherwise you are going to clash with the 64k range that Linux distributions assume they own.
Comment 6 Valentin Rothberg 2018-11-13 07:29:38 UTC
(In reply to Aleksa Sarai from comment #5)
> (In reply to Valentin Rothberg from comment #4)
> > Notice that it will work out-of-box for new installations and also for new
> > users. For existing user, we still need to *manually* add entries to
> > `/etc/sub{g,u}id` as described in `man podman`. We also took this occasion
> > to improve the error message of Podman in the absence of those files.
> 
> I just noticed that the man page actually gives you worrying advice (setting
> the mapping range to start at 10k) -- is this man page from upstream? It
> should say something more like starting the mapping at 100k or 1m because
> otherwise you are going to clash with the 64k range that Linux distributions
> assume they own.

Yes, that's the upstream manpage. The range corresponds to what useradd and usermod would add for the first user but if you have concerns, feel free to open an issue upstream.
Comment 7 Ralf Haferkamp 2020-08-27 10:20:45 UTC
I think this can be close. rootless is working fine on tumbleweed since a while.