setup user: cannot set any additional groups in a rootless container

[garyedwards]

Hi, great pet container, I am using it on Silverblue 29 beta and CentOS (sudo mode) which I try to treat immutable.

On an updated clean 29 install I get the following error:

./fedora-toolbox -v enter
unable to start container "fedora-toolbox-gary:29": container create failed: container_linux.go:336: starting container process caused "setup user: cannot set any additional groups in a rootless container"
: internal libpod error
./fedora-toolbox: failed to start container fedora-toolbox-gary:29``

The culprit seems to be "--group-add wheel" under the podman create.

[garyedwards]

Further to the above the "--uidmap" lines seem to cause the following errors:

exec failed: container_linux.go:336: starting container process caused "process_linux.go:90: adding pid 8258 to cgroups caused "failed to write 8258 to cgroup.procs: write /sys/fs/cgroup/systemd/user.slice/user-1000.slice/[email protected]/gnome-terminal-server.service/13eb5ccb9657c3a9a0ab67937927c29dd7c25bebdf943eb27d1900bd59964038/cgroup.procs: permission denied""

podman version 0.10.1

[debarshiray]

Further to the above the "--uidmap" lines seem to cause the following errors:

exec failed: container_linux.go:336: starting container process caused
"process_linux.go:90: adding pid 8258 to cgroups caused "failed to write 8258 to cgroup.procs:
write /sys/fs/cgroup/systemd/user.slice/user-1000.slice/[email protected]/gnome-terminal-server.service/13eb5ccb9657c3a9a0ab67937927c29dd7c25bebdf943eb27d1900bd59964038/cgroup.procs: permission denied""

Yes, that's due to runc (opencontainers/runc#1862). See this comment:
opencontainers/runc#1862 (comment)

We need those --uidmap lines to map the host's $UID into the toolbox.

Here's an update targeted at Fedora 29 to address this:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-e77cc54309

Unfortunately, since we are frozen for the the final Fedora 29 release, it will only enter the Silverblue 29 image as a zero-day update. Until then, you can try:

$ rpm-ostree override replace /path/to/runc-1.0.0-56.dev.git78ef28e.fc29.rpm

[debarshiray]

I am using it on Silverblue 29 beta and CentOS (sudo mode) which I try to
treat inimitable.

On an updated clean 29 install I get the following error:

./fedora-toolbox -v enter
unable to start container "fedora-toolbox-gary:29": container create failed:
container_linux.go:336: starting container process caused "setup user: cannot
set any additional groups in a rootless container"
: internal libpod error
./fedora-toolbox: failed to start container fedora-toolbox-gary:29``

The culprit seems to be "--group-add wheel" under the podman create.

I haven't seen this before. So far I have been hacking on Silverblue 28. I wonder if there's something off in Fedora 29.

Does it continue to happen after pulling in the above runc PR? What version of podman do you have? What did you mean by "sudo mode"?

[garyedwards]

Hi,the updated runc solved both of the errors. Under CentOS I use the "--sudo --release 29" arguments as rootless podman is not working there at the moment. I also remove the uid mappings as they fail on CentOS but as most of my builds are single user this does not cause me any issues.

Since this is solved for Silverblue 29 that is great and I will derive my own CentOS script which is not a target platform anyway. Thanks for the great work, I am really enjoying Silverblue.

[debarshiray]

That's great to hear! :)

Rootless podman and buildah are still very new, so it is probably a matter of getting newer versions of those into RHEL and eventually CentOS.

The --sudo flag was initially meant for debugging rootless bugs, but I am glad that you found some real use for it. I know that Fedora CoreOS is also interested in a rootful toolbox.

Anyway, thanks for getting in touch.