Run podman as non root gives file permission errors

One interesting thing with podman is the ability to run as non root. But in fact I can’t do a lot of things as simple user and most of the time shall su to achieve my goals.
How can I deal with this?

Note: SELinux is enforced
Example of classic issue:

% id
uid=1004(gabx) gid=1004(gabx) groups=1004(gabx),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
% podman images 
Error: could not get runtime: error creating tmpdir /run/user/1001/libpod/tmp: mkdir /run/user/1001: permission denied
% sudo podman images
REPOSITORY                          TAG      IMAGE ID       CREATED        SIZE
docker.io/linuxserver/mariadb       latest   ab6a31f8a171   2 days ago     348 MB
docker.io/library/redis             latest   01a52b3b5cd1   12 days ago    102 MB
docker.io/linuxserver/letsencrypt   latest   474abe498014   7 weeks ago    272 MB
docker.io/certbot/certbot           latest   d2bbcca3f60e   2 months ago   117 MB

I couldn’t find on internet anything else than running podman as root, which is of course not a real issue but doesn’t take advantage of the non-root features.

Thank you for advises.

Could you try filing a bug report? I recently saw a very similar issue on the Fedora server, so this is likely a podman bug.

Hello.
Which version of podman are you using and on which system are you?

 % podman --version
podman version 1.4.4
 % cat /etc/os-release 
NAME=Fedora
VERSION="29.20190805.0 (Atomic Host)"
ID=fedora
VERSION_ID=29
VERSION_CODENAME=""
PLATFORM_ID="platform:f29"
PRETTY_NAME="Fedora 29.20190805.0 (Atomic Host)"

When reading this article about rootless podman on RedHat website, I tried to run the following mentioned command:

 % podman unshare cat /proc/self/uid_map
Error: could not get runtime: error creating tmpdir /run/user/1001/libpod/tmp: mkdir /run/user/1001: permission denied

I shall be able to run this command, as unshare has to be ran as non-root

So? Shall I open a bug report, as suggested by Refi64 ?

This looks like podman is not allowed to create content in /run/user/1001 while you are running as user 1004

% id
uid=1004(gabx) gid=1004(gabx) groups=1004(gabx),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
% podman images 
Error: could not get runtime: error creating tmpdir /run/user/1001/

Which means to me that XDG_RUNTIME_DIR is not being set correctly.

1 Like
% id
uid=1004(gabx) gid=1004(gabx) groups=1004(gabx)
% env | grep XDG_RUNTIME_DIR           
12:XDG_RUNTIME_DIR=/run/user/1004

So user gabx XDG_RUNTIME_DIR is set correctly. Now, if I follow you, this directory shall exist for user 1001 and be RW for podman, right?
getent passwd or getent group returns nothing about user 1001 or user podman. So I can’t figure out how /run/user/1001 can be created. By who?
Would you mind please gimme some hints?
Thank you in advance

EDIT: shall I add a system user podman with id 1001, or something similar?

What does env | grep /run/user/1001 say?

EDIT: Also, can you post the contents of /etc/containers/libpod.conf if it exists?

% env | grep /run/user/1001
%
% cat /etc/containers/libpod.conf
cat: /etc/containers/libpod.conf: No such file or directory

No luck

What does podman info say?

% podman info
Error: could not get runtime: error creating tmpdir /run/user/1001/libpod/tmp: mkdir /run/user/1001: permission denied

If it can help:

% ls -alZ /run/user
total 0
drwxr-xr-x.  3 root root system_u:object_r:user_tmp_t:s0   60 Aug 31 17:51 ./
drwxr-xr-x. 39 root root system_u:object_r:var_run_t:s0  1.2K Oct 18 17:36 ../
drwx------.  4 gabx gabx system_u:object_r:user_tmp_t:s0  100 Oct  8 08:08 1004/

Not sure if it has to do with my issue, but root does not have XDG_RUNTIME_DIR set in its environment, and /run/user/0 does not exist.

EDIT1: I think I know how the XDG_RUNTIME_DIR is created by pam_systemd at login, but there is something I don’t understand in my issue. Why complain about /run/user/1001 when the command is run by user 1004? Why not /run/user/1004? Can any anyone explain to me?

EDIT2: I created a new user podx with ID 1001, then tried again the command this way:

gabx@poppy➤➤ ~ % su podx -
Password: 
[podx@poppy]/var/home/gabx% podman info
Error: could not get runtime: cannot mkdir /run/user/1004/libpod: mkdir /run/user/1004/libpod: permission denied

Note that 1004 is gabx id.

So it seems my issue doesn’t come from a bad setting/environment value for user gabx as the error is here with another user.

I opened a bug report

I investigated the $HOME/.config/containers/libpod.conf and realised that the value for tmp_dir was wrong.
For myself, user 1004, I have this line:

tmp_dir = "/run/user/1001/libpod/tmp"

Thus the 1001 story. This is due to a bad behavior from myself as I copied the XDG_CONFIG_HOME from user 1001 to user 1004 as I was not aware of this configuration file.
I thus changed this line to:

tmp_dir = "/run/user/1004/libpod/tmp"

NOTE: I closed the bug report

But I have still another error:

 % podman info
Error: could not get runtime: database libpod temporary files directory (tmpdir) "/run/user/1001/libpod/tmp" does not match our libpod temporary files directory (tmpdir) "/run/user/1004/libpod/tmp": database configuration mismatch

How can I solve this? What other file shall I have a look to ? /etc/containers/storage.conf ? Or my home one?

SOLVED

1- I had to fix $HOME/.config/containers/storage.conf line : runroot = "/run/user/1001" to runroot = "/run/user/1004"
2 - run rm -rf ~/.local/share/containers/storage

Now podman info command returns as expected

My issue was copying .config folder from user 1001 to user 1004 without modifying the libpod and storage configuration files.

2 Likes