Podman Permission Error While Running as Jenkins User Inside a Container

[shay1197]

I hope this message finds you well.

I am encountering an issue while trying to run Podman commands inside a container as the jenkins user. The goal is to execute these commands without requiring root privileges. However, I am receiving the following error message:

vbnet
Copy code
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
newuidmap: open of uid_map failed: Permission denied
I have ensured that the jenkins user has the correct entries in both /etc/subuid and /etc/subgid:

/etc/subuid: jenkins:100000:65536
/etc/subgid: jenkins:100000:65536
Despite this configuration, the error persists. I’ve also tried setting the necessary capabilities for newuidmap and newgidmap using the following commands, but without success:

bash
Copy code
sudo setcap cap_setuid+ep /usr/bin/newuidmap
sudo setcap cap_setgid+ep /usr/bin/newgidmap
I am seeking assistance in resolving this issue, as the main objective is to run Podman commands as the jenkins user without requiring root access.

Any advice or guidance you could provide would be greatly appreciated.

this is the error message-
INFO[0000] podman filtering at log level debug
DEBU[0000] Called login.PersistentPreRunE(podman --log-level=debug login golem.ilntsur.loc:48444)
DEBU[0000] Merged system config "/usr/share/containers/containers.conf"
DEBU[0000] Failed to decode the keys ["network_backend" "unqualified-search-registries"] from "/home/jenkins/.config/containers/containers.conf".
DEBU[0000] Merged system config "/home/jenkins/.config/containers/containers.conf"
DEBU[0000] Using conmon: "/usr/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/jenkins/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver vfs
DEBU[0000] Using graph root /home/jenkins/.local/share/containers/storage
DEBU[0000] Using run root /tmp/podman-run-1000/containers
DEBU[0000] Using static dir /home/jenkins/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /tmp/podman-run-1000/libpod/tmp
DEBU[0000] Using volume path /home/jenkins/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend file
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Using OCI runtime "/usr/bin/crun"
ERRO[0000] running /usr/bin/newuidmap 241 0 1000 1 1 100000 65536: newuidmap: open of uid_map failed: Permission denied
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

This is the part of the docker file that belong to Podman:

fuse-overlayfs \
libcap2-bin \
podman passwd login libsubid4 libsubid-dev uidmap slirp4netns containers-storage iptables \
&& apt clean \
&& rm -rf /var/lib/apt/lists/*

podman config

#RUN --mount=type=cache,target=/var/cache/apt \

echo 'deb http://deb.debian.org/debian/ sid main' > /etc/apt/sources.list.d/podman.list \

&& apt-get -q update \

&& DEBIAN_FRONTEND=noninteractive apt install -y -qq --no-install-recommends -t sid podman

Set capabilities for newuidmap and newgidmap

RUN setcap cap_setuid+ep /usr/bin/newuidmap &&
setcap cap_setgid+ep /usr/bin/newgidmap

RUN podman system migrate

Configure the registries.conf file

RUN echo 'unqualified-search-registries = ["docker.io", "golem.ilntsur.loc:48444"]' > /etc/containers/registries.conf

Configure the containers.conf file

RUN mkdir -p /home/jenkins/.config/containers &&
echo 'network_backend="netavark"' >> /home/jenkins/.config/containers/containers.conf &&
echo "unqualified-search-registries = ["docker.io", "golem.ilntsur.loc:48444"]" >> /home/jenkins/.config/containers/containers.conf

Set ownership of the config directory

RUN chown -R jenkins:jenkins /home/jenkins/.config

RUN echo "[storage]" > /etc/containers/storage.conf &&
echo "graphroot = "/home/jenkins/.local/share/containers/storage"" >> /etc/containers/storage.conf &&
echo "runroot = "/run/user/1000/containers/storage"" >> /etc/containers/storage.conf &&
echo "driver = "fuse-overlayfs"" >> /etc/containers/storage.conf &&
echo "[storage.options]" >> /etc/containers/storage.conf &&
echo "mount_program = "/usr/bin/fuse-overlayfs"" >> /etc/containers/storage.conf

RUN mkdir -p /home/jenkins/.local/share/containers/storage &&
chown -R jenkins:jenkins /home/jenkins/.local/share/containers/storage

[rhatdan]

First does the Jenkins user have 165k UIDs defined within its container?

The container you are running podman in, has to have enough UIDs to handle the user namespace within the container.
The container also needs to have CAP_SETUID and CAP_SETGID within the user namespace that you are running the container.

[shay1197]

Thanks, I add it and now the error disappeared but now I am getting this error-

• podman login --tls-verify=false -u admin -p balba22 balbabla:8444
  time="2024-10-13T20:54:16Z" level=warning msg=""/" is not a shared mount, this could cause issues or missing mounts with rootless containers"
  Error: configure storage: mount /home/jenkins/.local/share/containers/storage/overlay:/home/jenkins/.local/share/containers/storage/overlay, flags: 0x1000: permission denied

any change does you know what is this error?

[shay1197]

I tryied to use stable versio got also this message

[2/13] STEP 1/13: FROM jenkins/inbound-agent:3256.v88a_f6e922152-4-jdk17 AS base
Resolving "jenkins/inbound-agent" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/jenkins/inbound-agent:3256.v88a_f6e922152-4-jdk17...
Getting image source signatures
Copying blob sha256:d3915ffa03dd97aeff52883276bf9048d5f45fee6f5c274df6877acac5d35abb
Copying blob sha256:55867a3b2a3b8dad7b0d2be7659ca4b6e9c6785587ec479ab8b39da364b706d4
Copying blob sha256:142683d3f5578ae8156707f6c20be3ceb67e1b9f2ae3bb725b9448c193c38dae
Copying blob sha256:a445b84e64466cf2b1855021971fe4554a302b17009a8df7ae676501e4bb59e0
Copying blob sha256:f11c1adaa26e078479ccdd45312ea3b88476441b91be0ec898a7e07bfd05badc
Copying blob sha256:c10e49e2ae751d7e0a95fd985d4baf869ddf847c9dff496af287618d9f4a402d
Copying blob sha256:ab94afba5451bb12f89c75da5ccc33b3ad9238fe9646651f4ae2a412564dba07
Copying blob sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1
Copying blob sha256:7af6470caf99a63d368b81ca0645a1ea3379ce4e40831453b81967c086dd4842
Copying blob sha256:2828fce91c7c2fcc8e3a77d4186e31468e20efac6ddbd287ab67576b6fc5df70
time="2024-10-14T08:44:40Z" level=error msg="While applying layer: ApplyLayer stdout: stderr: remount /, flags: 0x44000: permission denied exit status 1"
Error: creating build container: copying system image from manifest list: writing blob: adding layer with blob "sha256:f11c1adaa26e078479ccdd45312ea3b88476441b91be0ec898a7e07bfd05badc": ApplyLayer stdout: stderr: remount /, flags: 0x44000: permission denied exit status 1

[nalind]

What are the mount flags on this location, as seen from inside the container?

[shay1197]

Same message-
Error: mount /home/jenkins/.local/share/containers/storage/overlay:/home/jenkins/.local/share/containers/storage/overlay, flags: 0x1000: permission denied
I forgot the mentation that I am running it in k8s