-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCI runtime permission denied when trying to use --userns container:id #7547
Comments
The
|
could you try using crun instead of runc as the OCI runtime? |
I did, adding |
PR here: #7578 |
when joining an existing container user namespace, read the existing mappings so the storage can be created with the correct ownership. Closes: containers#7547 Signed-off-by: Giuseppe Scrivano <[email protected]>
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
I'm trying to run a container as a sidecar to another container, by sharing the user and net namespaces using the
--user container:id
and--net container:id
options. This gives an "OCI runtime permission denied" error.Steps to reproduce the issue:
Start the main container:
sudo podman run --rm -it --name test --uidmap 0:60000:1000 --gidmap 0:60000:1000 --net sys alpine:3.12
Try to start the sidecar container:
sudo podman run --rm -it --name test-sidecar --userns container:test --net container:test alpine:3.12
Describe the results you received:
An error message:
Error: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:47: preparing rootfs caused: permission denied: OCI runtime permission denied error
Describe the results you expected:
Both the
test
andtest-sidecar
containers should run successfully and be visible from the host system as running under uid 60000.Additional information you deem important (e.g. issue happens only occasionally):
Repro step 2 works if I remove the
--userns
flag, but then the main process runs as root not user 60000; it gives exactly the same error message if I run it with--uidmap 0:60000:1000
instead.Output of
podman version
:Output of
podman info --debug
:Package info (e.g. output of
rpm -q podman
orapt list podman
):Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
The text was updated successfully, but these errors were encountered: