[systemd-devel] Rootless podman/buildah pull with systemd-homed fails -- important CAP dropped?
gmgod at pm.me
gmgod at pm.me
Fri Jan 21 15:59:52 UTC 2022
Dear all,
Has anyone tried to run a rootless container, or simply pull an image, from a systemd-homed session?
For some reason I am told there are potentially insufficient UIDs or GIDs available:
$ buildah from quay.io/fedora/fedora
Trying to pull quay.io/fedora/fedora:latest...
Getting image source signatures
Copying blob 4545346f2a49 done
writing blob: adding layer with blob "sha256:4545346f2a492b62d5a82682efe19b0e8e7583d5c19f75a74c81d62ec536c32d": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 0:12 for /var/spool/mail): Check /etc/subuid and /etc/subgid: lchown /var/spool/mail: invalid argument
But my /etc/sub{u,g}id are properly populated, `podman system migrate` runs without complaining and the subids *are* just available:
$ buildah unshare cat /proc/self/uid_map
0 60097 1
1 100000 65536
This is only happening in systemd-homed user sessions: normal users just work.
Using `sudo homectl with <user> -- buildah from quay.io/fedora/fedora` also works.
It looks like an important capability is dropped in systemd-homed session specifically that prevents id change.
Do you have any idea what it could be?
Best regards,
Gaël
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220121/79710705/attachment.sig>
More information about the systemd-devel
mailing list