You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a container runs with a user who's group is nogroup or nobody the container fails to run when using the --userns=auto option.
Steps to reproduce the issue
Create Containerfile
FROM alpine:edge
RUN addgroup -g 101 -S testuser && adduser -S -D -H -u 101 -s /sbin/nologin -G nogroup -g testuser testuser
USER testuser
podman build -t test:latest .
podman run --userns=auto --rm test:latest cat /etc/group
Describe the results you received
Error: container uses ID mappings ([]specs.LinuxIDMapping{specs.LinuxIDMapping{ContainerID:0x0, HostID:0x1, Size:0xfffd}}), but doesn't map GID 65533
Describe the results you expected
Container to run.
podman info output
host:
arch: amd64buildahVersion: 1.37.2cgroupControllers:
- cpu
- io
- memory
- pidscgroupManager: systemdcgroupVersion: v2conmon:
package: conmon-2.1.12-2.fc40.x86_64path: /usr/bin/conmonversion: 'conmon version 2.1.12, commit: 'cpuUtilization:
idlePercent: 97.4systemPercent: 0.85userPercent: 1.75cpus: 16databaseBackend: sqlitedistribution:
distribution: fedoravariant: bluefin-dxversion: "40"eventLogger: journaldfreeLocks: 2017hostname: fedoraidMappings:
gidmap:
- container_id: 0host_id: 1000size: 1
- container_id: 1host_id: 524288size: 65536uidmap:
- container_id: 0host_id: 1000size: 1
- container_id: 1host_id: 524288size: 65536kernel: 6.10.6-200.fc40.x86_64linkmode: dynamiclogDriver: journaldmemFree: 14890962944memTotal: 33340833792networkBackend: netavarknetworkBackendInfo:
backend: netavarkdns:
package: aardvark-dns-1.12.2-2.fc40.x86_64path: /usr/libexec/podman/aardvark-dnsversion: aardvark-dns 1.12.2package: netavark-1.12.2-1.fc40.x86_64path: /usr/libexec/podman/netavarkversion: netavark 1.12.2ociRuntime:
name: crunpackage: crun-1.17-1.fc40.x86_64path: /usr/bin/crunversion: |- crun version 1.17 commit: 000fa0d4eeed8938301f3bcf8206405315bc1017 rundir: /run/user/1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJLos: linuxpasta:
executable: /usr/bin/pastapackage: passt-0^20240906.g6b38f07-1.fc40.x86_64version: | pasta 0^20240906.g6b38f07-1.fc40.x86_64 Copyright Red Hat GNU General Public License, version 2 or later <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.remoteSocket:
exists: falsepath: /run/user/1000/podman/podman.sockrootlessNetworkCmd: pastasecurity:
apparmorEnabled: falsecapabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOTrootless: trueseccompEnabled: trueseccompProfilePath: /usr/share/containers/seccomp.jsonselinuxEnabled: trueserviceIsRemote: falseslirp4netns:
executable: /usr/bin/slirp4netnspackage: slirp4netns-1.2.2-2.fc40.x86_64version: |- slirp4netns version 1.2.2 commit: 0ee2d87523e906518d34a6b423271e4826f71faf libslirp: 4.7.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.5swapFree: 8589930496swapTotal: 8589930496uptime: 0h 57m 15.00svariant: ""plugins:
authorization: nulllog:
- k8s-file
- none
- passthrough
- journaldnetwork:
- bridge
- macvlan
- ipvlanvolume:
- localregistries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.iostore:
configFile: /var/home/athey/.config/containers/storage.confcontainerStore:
number: 0paused: 0running: 0stopped: 0graphDriverName: overlaygraphOptions: {}graphRoot: /var/home/athey/.local/share/containers/storagegraphRootAllocated: 1998678130688graphRootUsed: 1392384966656graphStatus:
Backing Filesystem: btrfsNative Overlay Diff: "true"Supports d_type: "true"Supports shifting: "false"Supports volatile: "true"Using metacopy: "false"imageCopyTmpDir: /var/tmpimageStore:
number: 79runRoot: /run/user/1000/containerstransientStore: falsevolumePath: /var/home/athey/.local/share/containers/storage/volumesversion:
APIVersion: 5.2.2Built: 1724198400BuiltTime: Tue Aug 20 19:00:00 2024GitCommit: ""GoVersion: go1.22.6Os: linuxOsArch: linux/amd64Version: 5.2.2
### Podman in a container
No
### Privileged Or Rootless
Rootless
### Upstream Latest Release
No
### Additional environment details
_No response_
### Additional information
Users can be listed under `nogroup` as the container just doesn't run when `USER` uses a user who is a part of those groups.
Using these groups appear in some distro packages so this can be caused by simply installing said package rather than creating a container like this.
The text was updated successfully, but these errors were encountered:
Issue Description
When a container runs with a user who's group is nogroup or nobody the container fails to run when using the
--userns=auto
option.Steps to reproduce the issue
podman build -t test:latest .
podman run --userns=auto --rm test:latest cat /etc/group
Describe the results you received
Error: container uses ID mappings ([]specs.LinuxIDMapping{specs.LinuxIDMapping{ContainerID:0x0, HostID:0x1, Size:0xfffd}}), but doesn't map GID 65533
Describe the results you expected
Container to run.
podman info output
The text was updated successfully, but these errors were encountered: