Podman: Running podman rootless gives ERRO[0000] cannot setup namespace using newuidmap: exit status 1

Does buildah unshare work?
rpm -qV shadow-utils
Did you setup your homedir as noexec?

It looks like just restarting my session did the trick :sweat_smile:

Same problem here, but restarting the session doesn't resolve the issue.

Do you have /etc/subuid and /etc/subgid? What are their contents?

Do you have /etc/subuid and /etc/subgid? What are their contents?

Yes.

cat /etc/subgid
fedora:100000:65536
alciregi:165536:65536
radio:231072:65536

cat /etc/subuid
fedora:100000:65536
alciregi:165536:65536
radio:231072:65536

Podman version?
@giuseppe Do we print stdout/err from these on Master?

Podman version?

podman version
Version:            1.1.2
RemoteAPI Version:  1
Go Version:         go1.11.5
Git Commit:         a95a49d3038462d033f84ac314ec8a3064a99cff
Built:              Tue Mar  5 18:10:31 2019
OS/Arch:            linux/amd64

Mmm
Using strace I've seen

newuidmap: write to uid_map failed: Operation not permitted

Googling around I tried to

chmod 4755 /usr/bin/newgidmap
chmod 4755 /usr/bin/newuidmap

And now podman works.

Shadow utils does this by default with file capabilities. For some reason file caps were not working for you.
What is file system are you using for /usr?

File system is ext4.
The fact is that this machine is a fedora image deployed on scaleway cloud
provider. Maybe they have tinkered the base image in some way?

On Thu, Apr 4, 2019, 6:07 PM Daniel J Walsh <[email protected] wrote:

Shadow utils does this by default with file capabilities. For some reason
file caps were not working for you.
What is file system are you using for /usr?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/containers/libpod/issues/2788#issuecomment-479961593,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ADIka3OEo9MrJ-Lq2GKOTznoHnXmPRBCks5vdiNNgaJpZM4cPw98
.

rpm -qV --shadow-utils
Before your change.
They could have mounted the /usr as nosuid, but your change would not have fixed this.
On default Fedora 29
getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/newgidmap = cap_setgid+ep

These two capabilities should be all you need.

I will check asap on a new machine.
Btw /usr is not a separate mountpoint, but it is part of the root partition.

On Thu, Apr 4, 2019, 6:38 PM Daniel J Walsh <[email protected] wrote:

rpm -qV --shadow-utils
Before your change.
They could have mounted the /usr as nosuid, but your change would not have
fixed this.
On default Fedora 29
getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/newgidmap = cap_setgid+ep

These two capabilities should be all you need.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/containers/libpod/issues/2788#issuecomment-479972943,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ADIka9H3e-spa9H2KKOChvqwUU1OF7Kfks5vdiqHgaJpZM4cPw98
.

rpm -qV shadow-utils
........P    /usr/bin/newgidmap
........P    /usr/bin/newuidmap

mount
/dev/vda1 on / type ext4 (rw,relatime,seclabel)

getcap /usr/bin/newuidmap /usr/bin/newgidmap doesn't return any result

Well, a followup (fresh install and full update):

dnf reinstall shadow-utils
...
Reinstalled:
  shadow-utils-2:4.6-4.fc29.x86_64

And now rpm -qV shadow-utils doesn't return anything, while getcap /usr/bin/newuidmap /usr/bin/newgidmap returns

/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/newgidmap = cap_setgid+ep

And podman works.

Super.

FYI, I had this error when I had two entries in /etc/subuid and the first entry was not sufficient resource access to use podman.

doesn't work for me,
here is the error:

[pjiandan@pjiandan ~]$ podman info
ERRO[0000] cannot setup namespace using newuidmap: exit status 1 

[pjiandan@pjiandan ~]$ sudo podman info
host:
  BuildahVersion: 1.6-dev
  Conmon:
    package: podman-1.0.0-2.git921f98f.module+el8+2785+ff8a053f.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.14.0-dev, commit: be8255a19cda8a598d76dfa49e16e337769d4528-dirty'
  Distribution:
    distribution: '"rhel"'
    version: "8.0"
  MemFree: 27608231936
  MemTotal: 33330409472
  OCIRuntime:
    package: runc-1.0.0-54.rc5.dev.git2abd837.module+el8+2769+577ad176.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.0'
  SwapFree: 8589930496
  SwapTotal: 8589930496
  arch: amd64
  cpus: 8
  hostname: pjiandan.remote.csb
  kernel: 4.18.0-80.11.2.el8_0.x86_64
  os: linux
  rootless: false
  uptime: 16m 15.99s
insecure registries:
  registries: []
registries:
  registries:
  - registry.redhat.io
  - quay.io
  - docker.io
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
  ImageStore:
    number: 1
  RunRoot: /var/run/containers/storage

Can anyone please help with this?

$ podman unshare cat /proc/self/uid_map

This should show you something like

podman unshare cat /proc/self/uid_map
         0       3267          1
         1     100000      65536

If this only shows 1 line, then you have not setup /etc/subuid and /etc/subgid properly or your newuidmap and newgidmap tools are not install properly.
sudo dnf reinstall shadow-utils