podman: Running podman rootless gives ERRO[0000] cannot setup namespace using newuidmap: exit status 1

/kind bug

Hi, I just installed Podman on Fedora 29 but running anything rootless gives me the error:

ERRO[0000] cannot setup namespace using newuidmap: exit status 1

eg.

$ podman info
ERRO[0000] cannot setup namespace using newuidmap: exit status 1

I made sure my username is in /etc/subuid and /etc/subgid:

$ cat /etc/subuid
kdubois:100000:65536

$ cat /etc/subgid
kdubois:100000:65536

Running podman as root works fine:

$ sudo podman info
host:
  BuildahVersion: 1.7.1
  Conmon:
    package: podman-1.1.2-1.git0ad9b6b.fc29.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: a95a49d3038462d033f84ac314ec8a3064a99cff'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 8967946240
  MemTotal: 33567715328
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 16852709376
  SwapTotal: 16852709376
  arch: amd64
  cpus: 8
  hostname: kdubois-redhat
  kernel: 4.20.13-200.fc29.x86_64
  os: linux
  rootless: false
  uptime: 27h 46m 28.7s (Approximately 1.12 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mountopt=nodev
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 1
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Steps to reproduce the issue:

sudo dnf install podman
podman info

Output of podman version:

$ podman version
Version:            1.1.2
RemoteAPI Version:  1
Go Version:         go1.11.5
Git Commit:         a95a49d3038462d033f84ac314ec8a3064a99cff
Built:              Tue Mar  5 19:10:31 2019
OS/Arch:            linux/amd64

Output of podman info --debug:

$ sudo podman info --debug
debug:
  compiler: gc
  git commit: a95a49d3038462d033f84ac314ec8a3064a99cff
  go version: go1.11.5
  podman version: 1.1.2
host:
  BuildahVersion: 1.7.1
  Conmon:
    package: podman-1.1.2-1.git0ad9b6b.fc29.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: a95a49d3038462d033f84ac314ec8a3064a99cff'
  Distribution:
    distribution: fedora
    version: "29"
  MemFree: 8933810176
  MemTotal: 33567715328
  OCIRuntime:
    package: runc-1.0.0-68.dev.git6635b4f.fc29.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc6+dev
      commit: ef9132178ccc3d2775d4fb51f1e431f30cac1398-dirty
      spec: 1.0.1-dev
  SwapFree: 16852709376
  SwapTotal: 16852709376
  arch: amd64
  cpus: 8
  hostname: kdubois-redhat
  kernel: 4.20.13-200.fc29.x86_64
  os: linux
  rootless: false
  uptime: 27h 50m 30.71s (Approximately 1.12 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mountopt=nodev
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 1
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.): Physical Fedora 29 install

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 1
Comments: 30 (12 by maintainers)

Most upvoted comments

Mmm Using strace I’ve seen

newuidmap: write to uid_map failed: Operation not permitted

Googling around I tried to

chmod 4755 /usr/bin/newgidmap
chmod 4755 /usr/bin/newuidmap

And now podman works.

+24

alcir on Apr 4, 2019

Well, a followup (fresh install and full update):

dnf reinstall shadow-utils
...
Reinstalled:
  shadow-utils-2:4.6-4.fc29.x86_64

And now rpm -qV shadow-utils doesn’t return anything, while getcap /usr/bin/newuidmap /usr/bin/newgidmap returns

/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/newgidmap = cap_setgid+ep

And podman works.

+11

alcir on Apr 5, 2019

It looks like just restarting my session did the trick 😅

kdubois on Mar 28, 2019

I ran in the same issue (on Fedora 35) and the proposed solution didn’t work for me (granting setuid to /usr/bin/newuidmap and setcap cap_setuid+eip /usr/bin/newuidmap). I fixed the issue by running the following commands:

sudo chmod u-s /usr/bin/new[gu]idmap
setcap cap_setuid+eip /usr/bin/newuidmap
sudo setcap cap_setgid+eip /usr/bin/newgidmap

This fixed the error for me and I got podman info working for my normal user

rkachach on Jan 19, 2022

rpm -qV --shadow-utils Before your change. They could have mounted the /usr as nosuid, but your change would not have fixed this. On default Fedora 29 getcap /usr/bin/newuidmap /usr/bin/newgidmap /usr/bin/newuidmap = cap_setuid+ep /usr/bin/newgidmap = cap_setgid+ep

These two capabilities should be all you need.

rhatdan on Apr 4, 2019

@alcir Thank you, that helped me out just now! On Arch linux, the relevant package is called shadow. Reinstalling that with pacman -S shadow fixed it for me, no more issues.

jannisbecker on Jun 22, 2022

FYI, I had this error when I had two entries in /etc/subuid and the first entry was not sufficient resource access to use podman.

funkytaco on Dec 24, 2019

Same problem here, but restarting the session doesn’t resolve the issue.

alcir on Apr 4, 2019