[systemd-devel] Rootless podman/buildah pull with systemd-homed fails -- important CAP dropped?
Christian Brauner
brauner at kernel.org
Tue Jan 25 10:06:24 UTC 2022
On Mon, Jan 24, 2022 at 05:25:57PM +0100, Christian Brauner wrote:
> On Fri, Jan 21, 2022 at 03:59:52PM +0000, gmgod at pm.me wrote:
> > Dear all,
> >
> > Has anyone tried to run a rootless container, or simply pull an image, from a systemd-homed session?
> >
> > For some reason I am told there are potentially insufficient UIDs or GIDs available:
> >
> > $ buildah from quay.io/fedora/fedora
> > Trying to pull quay.io/fedora/fedora:latest...
> > Getting image source signatures
> > Copying blob 4545346f2a49 done
> > writing blob: adding layer with blob "sha256:4545346f2a492b62d5a82682efe19b0e8e7583d5c19f75a74c81d62ec536c32d": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 0:12 for /var/spool/mail): Check /etc/subuid and /etc/subgid: lchown /var/spool/mail: invalid argument
> >
> > But my /etc/sub{u,g}id are properly populated, `podman system migrate` runs without complaining and the subids *are* just available:
> >
> > $ buildah unshare cat /proc/self/uid_map
> > 0 60097 1
> > 1 100000 65536
> >
> > This is only happening in systemd-homed user sessions: normal users just work.
> > Using `sudo homectl with <user> -- buildah from quay.io/fedora/fedora` also works.
> >
> > It looks like an important capability is dropped in systemd-homed session specifically that prevents id change.
> > Do you have any idea what it could be?
>
> Hey Gaël,
>
> I've spent some time looking into this as I had a hunch where the issue
> comes from. This is related to how systemd implements home directories
> making use of idmappings for the user's home directory on kernels that
> support it.
>
> As it stands systemd-homed allocates a very narrow range of ids for a
> users home directory causing podman and other tools to not be able to
> write ids in ranges > 60513. As you can see podman - with your mapping -
> tries to write as uid 100000 but that id isn't mapped in systemd-homed.
> I'll try to come up with a patch that fixes this and will propose it for
> systemd upstream.
I sent a pull-request explaining the issue and proposing a fix. It will
take a little while since we need to make a design decision but I'm
confident this will be fixed:
https://github.com/systemd/systemd/pull/22239
More information about the systemd-devel
mailing list