[systemd-devel] Rootless podman/buildah pull with systemd-homed fails -- important CAP dropped?

[gmgod at pm.me]

Dear all,

Has anyone tried to run a rootless container, or simply pull an image, from a systemd-homed session?

For some reason I am told there are potentially insufficient UIDs or GIDs available:

$ buildah from quay.io/fedora/fedora
Trying to pull quay.io/fedora/fedora:latest...
Getting image source signatures
Copying blob 4545346f2a49 done
writing blob: adding layer with blob "sha256:4545346f2a492b62d5a82682efe19b0e8e7583d5c19f75a74c81d62ec536c32d": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 0:12 for /var/spool/mail): Check /etc/subuid and /etc/subgid: lchown /var/spool/mail: invalid argument

But my /etc/sub{u,g}id are properly populated, `podman system migrate` runs without complaining and the subids *are* just available:

$ buildah unshare cat /proc/self/uid_map
         0      60097          1
         1     100000      65536

This is only happening in systemd-homed user sessions: normal users just work.
Using `sudo homectl with <user> -- buildah from quay.io/fedora/fedora` also works.

It looks like an important capability is dropped in systemd-homed session specifically that prevents id change.
Do you have any idea what it could be?

Best regards,
Gaël
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220121/79710705/attachment.sig>