podman: Podman does not work with users created by homectl/systemd-homed.

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

All podman root-less commands fail with Error: cannot setup namespace using newuidmap: exit status 1 with a user managed by systemd-homed.

Steps to reproduce the issue:

Activate systemd-homed service, and create a user account with homectl.
Login as the newly created user and run any podman command.

Describe the results you received:

Podman fails to run.

Describe the results you expected:

Podman should run.

Additional information you deem important (e.g. issue happens only occasionally):

The user’s home is managed by systemd-homed. No user information is stored in /etc/passwd, /etc/shadow and /etc/gshadow. User records are created on the fly by systemd-homed.

Output of podman version:

podman version 3.4.4

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.23.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.0.31-1
    path: /usr/bin/conmon
    version: 'conmon version 2.0.31, commit: 7e7eb74e52abf65a6d46807eeaea75425cc8a36c'
  cpus: 16
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: shadowfax
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 60237
      size: 1
    uidmap:
    - container_id: 0
      host_id: 60237
      size: 1
  kernel: 5.15.7-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 252006400
  memTotal: 33668792320
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.3-3
    path: /usr/bin/crun
    version: |-
      crun version 1.3
      commit: 4f6c8e0583c679bfee6a899c05ac6b916022561b
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/60237/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.1.12-1
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.3
  swapFree: 21445206016
  swapTotal: 21474828288
  uptime: 28h 37m 3.96s (Approximately 1.17 days)
plugins:
  log:
  - k8s-file
  - none
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /home/ananth/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/ananth/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: f2fs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /run/user/60237/containers
  volumePath: /home/ananth/.local/share/containers/storage/volumes
version:
  APIVersion: 3.4.4
  Built: 1639074640
  BuiltTime: Fri Dec 10 00:00:40 2021
  GitCommit: f6526ada1025c2e3f88745ba83b8b461ca659933
  GoVersion: go1.17.4
  OsArch: linux/amd64
  Version: 3.4.4

Package info (e.g. output of rpm -q podman or apt list podman):

Name            : podman
Version         : 3.4.4-1
Description     : Tool and library for running OCI-based containers in pods
Architecture    : x86_64
URL             : https://github.com/containers/podman
Licenses        : Apache
Groups          : None
Provides        : None
Depends On      : cni-plugins  conmon  containers-common  crun  fuse-overlayfs  iptables  libdevmapper.so=1.02-64  libgpgme.so=11-64  libseccomp.so=2-64  slirp4netns
Optional Deps   : apparmor: for AppArmor support [installed]
                  btrfs-progs: support btrfs backend devices [installed]
                  catatonit: --init flag support [installed]
                  podman-docker: for Docker-compatible CLI
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 72.79 MiB
Packager        : David Runge <dvzrv@archlinux.org>
Build Date      : Friday 10 December 2021 12:00:40 AM
Install Date    : Friday 10 December 2021 05:02:42 PM
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Arch Linux running on a physical computer.

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 1
Comments: 36 (19 by maintainers)

Most upvoted comments

I’m testing the above patch here and it’s working well with a btrfs subvol

Thanks for confirming it!

I think we can close this issue since there is nothing to do on the Podman side.

giuseppe on Jan 31, 2022

I found the issue. I followed this guide:

https://unix.stackexchange.com/questions/176593/how-to-influence-the-assignment-of-subordinate-uids-gids-when-creating-user-acco

user=<insertusername>
uid=$(id -u $user)
sudo usermod -v $((uid+200000))-$((uid+200000+65535)) -w $((uid+200000))-$((uid+200000+65535)) $user

This created the missing entries in /etc/subuid and /etc/subgid.

Seems that when you don’t use systemd-homed all this is done automatically.

After setting this up I was able to pull and image.

Also containers are working.

fansari on Dec 30, 2021