podman: Running rootless containers on ubuntu bionic doesn't work

kind bug

Description

After having installed podman on an ubuntu bionic system using the PPA and attempting to run a container, I got:

* Error committing the finished image: error adding layer with blob "sha256:32802c0cfa4defde2981bec336096350d0bb490469c494e21f678b1dcf6d831f": ApplyLayer exit status 1 stdout:  stderr: lchown /etc/gshadow: invalid argument

The machine in question is a recently installed from scratch Ubuntu Bionic with not a ton installed.

Steps to reproduce the issue:

  1. Install podman:
sudo add-apt-repository ppa:projectatomic/ppa
sudo apt-get update
sudo apt-get install podman
  1. Install a registries.conf file
# This is a system-wide configuration file used to
# keep track of registries for various container backends.
# It adheres to TOML format and does not support recursive
# lists of registries.

# The default location for this configuration file is /etc/containers/registries.conf.

# The only valid categories are: 'registries.search', 'registries.insecure', 
# and 'registries.block'.

[registries.search]
registries = ['docker.io']

# If you need to access insecure registries, add the registry's fully-qualified name.
# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
[registries.insecure]
registries = []


# If you need to block pull access from a registry, uncomment the section below
# and add the registries fully-qualified name.
#
# Docker only
[registries.block]
registries = []
  1. Try to run a container:
podman run -it --rm ubuntu /bin/sh

Describe the results you received:

Trying to pull docker.io/ubuntu:latest...Getting image source signatures
Copying blob sha256:32802c0cfa4defde2981bec336096350d0bb490469c494e21f678b1dcf6d831f
 30.62 MB / 30.62 MB [======================================================] 7s
Copying blob sha256:da1315cffa03c17988ae5c66f56d5f50517652a622afc1611a8bdd6c00b1fde3
 847 B / 847 B [============================================================] 0s
Copying blob sha256:fa83472a3562898caaf8d77542181a473a84039376f2ba56254619d9317ba00d
 556 B / 556 B [============================================================] 0s
Copying blob sha256:f85999a86bef2603a9e9a4fa488a7c1f82e471cbb76c3b5068e54e1a9320964a
 162 B / 162 B [============================================================] 0s
Copying config sha256:93fd78260bd1495afb484371928661f63e64be306b7ac48e2d13ce9422dfee26
 3.32 KB / 3.32 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
ERRO[0011] Error while applying layer: ApplyLayer exit status 1 stdout:  stderr: lchown /etc/gshadow: invalid argument 
Failed
unable to pull ubuntu: 1 error occurred:

* Error committing the finished image: error adding layer with blob "sha256:32802c0cfa4defde2981bec336096350d0bb490469c494e21f678b1dcf6d831f": ApplyLayer exit status 1 stdout:  stderr: lchown /etc/gshadow: invalid argument

Describe the results you expected:

To be in a shell in the container.

Additional information you deem important (e.g. issue happens only occasionally):

Happens for other containers - it’s not just an ubuntu container.

Output of podman version:

Version:       0.11.2-dev
Go Version:    go1.10.4
OS/Arch:       linux/amd64

Output of podman info:

host:
  BuildahVersion: 1.5-dev
  Conmon:
    package: 'cri-o-1.12: /usr/lib/crio/bin/conmon'
    path: /usr/lib/crio/bin/conmon
    version: 'conmon version 1.12.4-dev, commit: '
  Distribution:
    distribution: ubuntu
    version: "18.04"
  MemFree: 190324736
  MemTotal: 8241233920
  OCIRuntime:
    package: 'cri-o-runc: /usr/sbin/runc'
    path: /usr/sbin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 483840000
  SwapTotal: 1027600384
  arch: amd64
  cpus: 4
  hostname: solace
  kernel: 4.15.0-29-generic
  os: linux
  rootless: true
  uptime: 73h 46m 19.84s (Approximately 3.04 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
store:
  ContainerStore:
    number: 0
  GraphDriverName: vfs
  GraphOptions: []
  GraphRoot: /home/mordred/.local/share/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 0
  RunRoot: /run/user/1001

Additional environment details (AWS, VirtualBox, physical, etc.):

Lenovo Thinkpad Laptop

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 1
  • Comments: 19 (12 by maintainers)

Most upvoted comments

@asm582 can you try to do podman system migrate first? If it doesn’t still work, please attach the output of: podman unshare cat /proc/self/uid_map

+2
giuseppe on Jul 30, 2019

Should we add a troubleshooting note that moving directories out of /home will solve this?

+1
mheon on Jul 30, 2019

For completeness, the following is what is needed to get rootless podman working on ubuntu bionic:

sudo add-apt-repository ppa:projectatomic/ppa
sudo apt-get update
sudo apt-get install podman uidmap
echo "$(whoami):10000:65536" | sudo tee /etc/subuid
echo "$(whoami):10000:65536" | sudo tee /etc/subgid
echo -e "[registries.search]\nregistries = ['docker.io']" | sudo tee /etc/containers/registries.conf
+1
emonty on Dec 1, 2018
Read more comments on GitHub
← podman: Running privileged podman containers inside a docker container gives "Error: container_linux.go:367: starting container process caused: apply caps: operation not permitted: OCI runtime permission denied error"
podman: Running ubi9 on Apple silicon breaks on unsupported x86_64-v2 instruction set →