youki: Unable to start rootless container under Podman when Youki used as runtime
When I try to start a rootless podman container with Youki used as runtime, it tries to create a /run/youki directory, which, as not running as root, fails with permission denied.
Youki version: 0.0.2 (commit: 0.0.2-0-73dc75c)
% podman create --runtime /home/ondra/.cargo/bin/youki --name fedora fedora
128fed7131b2a59030b9691108977dd0b4fc4c1fcc6b064c6f4c16d615637b96
% podman start fedora
Error: failed to create directory /run/youki
Caused by:
Permission denied (os error 13)
ERRO[0000] Error removing container 128fed7131b2a59030b9691108977dd0b4fc4c1fcc6b064c6f4c16d615637b96 from runtime after creation failed
Error: unable to start container "128fed7131b2a59030b9691108977dd0b4fc4c1fcc6b064c6f4c16d615637b96": Permission denied (os error 13): OCI permission denied
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 18 (12 by maintainers)
Going ahead and closing this. Thank you everyone!
@ondra05 this took a long time, but with current main, this should be resolved. Can you verify once, otherwise I’ll close this in few days, Thanks!
My previous comment was just a guess, but I did some more research.
When in rootless mode, podman creates user namespace in the very early phase. (userns is created in PersistentPreRunE of rootCmd.) So When youki is invoked by podman, youki runs as root, uid mapped in the userns.
runc and crun seem to check if
/proc/self/uid_mapcontains “4294967295” whether they run in rootless. Should youki do the same, maybe inrootless_required()?It seems to me that checking
nix::unistd::geteuid().is_root()only is not enough to determine rootless. Maybe we should consult/proc/self/uid_mapalso?I’m having the same issue with Ubuntu 20.04.1 !