The simple scenario is this; in this tutorial:
podman
without sudo
cgroups2
on Ubuntu.To run bash
in an Ubuntu container without needing root/sudo
privilege(s). The command line, is:
podman run --rm --interactive --tty ubuntu bash
This command bring the following result:
$ podman run --rm --interactive --tty ubuntu:20.10 bash
Completed short name "ubuntu" with unqualified-search registries (origin: /etc/containers/registries.conf)
Trying to pull docker.io/library/ubuntu:20.10...
Getting image source signatures
Copying blob 79e7e9027772 done
Copying blob eed86eef5a46 done
Copying blob 1b553362680b done
Copying config deb373a625 done
Writing manifest to image destination
Storing signatures
Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs
available in user namespace (requested 0:42 for /etc/gshadow):
Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument
Error: Error committing the finished image: error adding layer with
blob "sha256:eed86eef5a4687135cb1ba7c55da6af79c9182e8bf59b53a880d1b334515c8e3":
Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs
available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid
and /etc/subgid: lchown /etc/gshadow: invalid argument
Which led us to believe that some further privilege is necessary (may be not root, but...). This has been confirmed by running the same command with sudo
-- it works quite happily with the exception that the popdman Ubuntu
image is runs as root
on my PC. Not the happy outcome I expect.
Presently the /etc/subuid
and /etc/subgid
files on this machine only have entries for a few samba
users and a wireshark
user, as shown:
/etc/subgid /etc/subgid
tsmith:100000:65536 tsmith:100000:65536
demo:165536:65536 demo:165536:65536
smbguest:231072:65536 smbguest:231072:65536
wireshark:296608:65536 wireshark:296608:65536
I don't realy have guidence at this point. I realise there's something I need to do with subuid
-s and subgid
-s for this example to work. So far I've had no luck finding some tip or documentaton as to what is needed. Except to not edit the files directly -- Fair enough.
Also in the above mentioned tutorial, is a non-sudo
example looking at the subuid
-s:
$ podman unshare cat /proc/self/uid_map
0 1000 1
1 100000 65536
I ask myself is that is user #1 just an example or did I miss a step? When I do the same thing on this PC, all I see is:
$ podman unshare cat /proc/self/uid_map
0 1000 1
Without a user #1, only a user #0. What action do I take? The queston herer now is:
bash
shell run rootless in the container?
bash
run rootless.I eventually got Ubuntu working with a rootless container by applying ALL the steps herewithin...
It almost was as if these were the same points as in the original article I used to begin with, so I can't really say which bit didn't get done right the first time. The steps in that post definitely do the job.
It is very important (imho) to confirm that your container is rootless. Sometimes you can still be running as root but think it is "working".