podman: Rootless build: cannot specify gid= mount options for unmapped gid in rootless containers

/kind bug

Note: I’m unsure whether this is a bug in buildah or podman. Please tell if I should file another bug report against buildah.

Description

Consider this simple Dockerfile:

FROM fedora:28
RUN dnf -y update

Using podman --log-level=debug build . fails with cannot specify gid= mount options for unmapped gid in rootless containers, logs here. (Note: the logs are copy-pasted from the terminal, if I redirect stderr, podman just hangs right before the error.)

Steps to reproduce the issue:

See above.

Describe the results you received:

cannot specify gid= mount options for unmapped gid in rootless containers

Describe the results you expected:

A successful build.

Output of podman version:

Version:       0.7.2
Go Version:    go1.10.3
OS/Arch:       linux/amd64

Output of podman info:

<snip>
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ContainerStore:
    number: 4
  GraphDriverName: vfs
  GraphOptions: []
  GraphRoot: /var/home/engelke/.local/share/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 2
  RunRoot: /run/user/1000/run

Additional environment details (AWS, VirtualBox, physical, etc.):

Operating system if Fedora Atomic Workstation 28.20180723.0.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 20 (11 by maintainers)

Most upvoted comments

I think that is a bug in runc. It should not barf if we are already in an user namespace but we don’t specify UID/GID mappings in the OCI spec file. I’ve already fixed a similar issue in runc (https://github.com/opencontainers/runc/commit/cbcc85d311725031e5957385f3ad43acfc0b66f2) and it is probably a similar one. To avoid these kind of issues altogether in podman I’ve added this code ed0261176b2bd9ccd9a6cbf77727429429b8fedc that is probably missing in Buildah.

About the rootless network support: me and @AkihiroSuda decided to collaborate on https://github.com/AkihiroSuda/slirp4netns as I was working on a similar project. We are discussing about moving it to https://github.com/rootless-containers/ but we will need a way to distribute it in Fedora (new package?) so that it can be used from our tools to setup the network

+1
giuseppe on Jul 24, 2018
Read more comments on GitHub
← podman: Rootless --cpus results in Permission Denied
podman: rootless: can't install httpd into a Fedora container because of capabilities →