Build podman images in the base image
I've been trying to use images from this project to build podman images in CI, but so far haven't been able to.
First, I'm building an derivative image based on the the definition used to build the Fedora-based podman/stable image. This image is described in this Red Hat article going into some detail about how to use podman in podman (PINP).
FROM containers.torproject.org/tpo/tpa/base-images:bookworm
RUN apt update && apt install -y --no-install-recommends podman containers-storage uidmap libcap2-bin strace ca-certificates
RUN useradd podman
RUN echo "podman:1:999\npodman:1001:64535" > /etc/subuid
RUN echo "podman:1:999\npodman:1001:64535" > /etc/subgid
ADD /containers.conf /etc/containers/containers.conf
ADD /podman-containers.conf /home/podman/.config/containers/containers.conf
RUN mkdir -p /home/podman/.local/share/containers && \
chown podman:podman -R /home/podman && \
chmod 644 /etc/containers/containers.conf
# Note VOLUME options must always happen after the chown call above
# RUN commands can not modify existing volumes
VOLUME /var/lib/containers
VOLUME /home/podman/.local/share/containers
RUN setcap cap_setuid=ep /usr/bin/newuidmap && \
setcap cap_setuid=ep /usr/bin/newgidmap
ENV _CONTAINERS_USERNS_CONFIGURED="" \
BUILDAH_ISOLATION=chroot
Unfortunately, while podman/stable
works without issue in our unprivileged CI containers, both in rootful and rootless modes, this custom Debian-based container with podman doesn't. I even tried building this container with the upstream Debian images (eg. debian:unstable-slim
) but it fails in the same way.
These are the error messages both in rootless and rootful modes:
gitlab-runner@ci-runner-x86-03:~/pinp$ podman run --rm --user podman localhost/pinp podman run alpine echo hello
time="2024-04-17T21:17:22Z" level=error msg="running `/usr/bin/newuidmap 18 0 1000 1 1 1 999 1000 1001 64535`: newuidmap: open of uid_map failed: Permission denied\n"
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
gitlab-runner@ci-runner-x86-03:~/pinp$ podman run --rm localhost/pinp podman run alpine echo hello
time="2024-04-17T21:17:28Z" level=warning msg="Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user"
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:4abcf20661432fb2d719aaf90656f55c287f8ca915dc1c92ec14ff61e67fbaf8": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/shadow): Check /etc/subuid and /etc/subgid if configured locally and run podman-system-migrate: lchown /etc/shadow: invalid argument): exit status 1
I've tried looking in an number of thing to figure this out, to no avail. The problem seems to point to some particular issue with user namespaces that's caused by something in the image itself rather than the host system, since podman/stable
works without these issues.
I can also reproduce the same problem on my workstation's podman installation.