podman: Error: cannot setup namespace using newuidmap: exit status 1

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description attempting to create any container rootlessly results in Error: cannot setup namespace using newuidmap: exit status 1

Steps to reproduce the issue:

1.run podman run docker.io/hello-world

Describe the results you received:

Error: cannot setup namespace using newuidmap: exit status 1

Describe the results you expected:

runs the docker-hello world container

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

`Error: cannot setup namespace using newuidmap: exit status 1`

running podman --version outputs

podman version 3.4.4

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: Unknown
    path: /nix/store/6r9syknl9xza7jzwd25v0ym41rz84r1m-conmon-2.0.31/bin/conmon
    version: 'conmon version 2.0.31, commit: '
  cpus: 4
  distribution:
    codename: quokka
    distribution: nixos
    version: "22.05"
  eventLogger: journald
  hostname: nixpro
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.10.84
  linkmode: dynamic
  logDriver: journald
  memFree: 4878995456
  memTotal: 8215441408
  ociRuntime:
    name: crun
    package: Unknown
    path: /nix/store/9m18pl5di2p0cin7b4wa1f55jk5fy5ka-crun-1.3/bin/crun
    version: |-
      crun version 1.3
      commit: 1.3
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: ""
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /nix/store/69rx44glqh00035mji5iw1dif6nxmlkv-slirp4netns-1.1.12/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 4107718656
  swapTotal: 4107718656
  uptime: 13m 38.89s
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 6
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.4.4
  Built: 315532800
  BuiltTime: Tue Jan  1 05:30:00 1980
  GitCommit: ""
  GoVersion: go1.16.10
  OsArch: linux/amd64
  Version: 3.4.4

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

nixos unstable

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 22 (10 by maintainers)

Most upvoted comments

why do you have your user listed twice with the same range in the /etc/subuid and /etc/subgid files?

Can you drop one line from each file and make sure there are no overlapping mappings?

like:

/etc/subuid/
nullrequest:100000:65536

/etc/subgid
nullrequest:100000:65536
+3
giuseppe on Dec 20, 2021

I ran into this error on Podman 4.2 on Arch Linux. I resolved it after following the “Rootless Podman” setup steps on the Arch Wiki:

https://wiki.archlinux.org/title/Podman#Rootless_Podman

I’m not sure exactly what fixed it, but it seemed to start working after removing my /etc/subuid and /etc/subgid files and running the usermod command there. The contents appear the same, except the range was extended was from 10,000 to 100,000 and there’s an extra blank line. Also, before the files were symlinked into my home dir and now they are not.

+1
markstos on Nov 30, 2022

why do you have your user listed twice with the same range in the /etc/subuid and /etc/subgid files?

@giuseppe, FWIW that’s the default in the latest stable podman image, quay.io/podman/stable:v3.4.4.

[podman@podman /]$ cat /etc/subuid podman:1:999 podman:1001:64535 [podman@podman /]$ cat /etc/subgid podman:1:999 podman:1001:64535

+1
r3h0 on Feb 25, 2022

also another thing to note, running with root everything works. its only in rootless mode where there are issues

root doesn’t need newuidmap and newgidmap because it is already running with capabilities

+1
giuseppe on Dec 20, 2021

ok, thanks.

Can you try the following commands?

$ unshare -U sleep 100 &
$ newuidmap $! 0 100000 65536
$ newgidmap $! 0 100000 65536

Do they work fine?

+1
giuseppe on Dec 17, 2021

/etc/subuid/

nullrequest:100000:65536
nullrequest:100000:65536

/etc/subgid

nullrequest:100000:65536
nullrequest:100000:65536

/run seems to be mounted by nixos with nosuid however /run/wrappers is mounted with rw,nodev,relatime shared:13 - tmpfs tmpfs rw,mode=755 unlike /run which is mounted /run rw,nosuid,nodev shared:11 - tmpfs tmpfs rw,size=2005724k,mode=755

+1
Lunarequest on Dec 17, 2021
Read more comments on GitHub
← podman: error allocating lock for new pod: no space left on device
podman: Error: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied →