One interesting thing with podman is the ability to run as non root. But in fact I can’t do a lot of things as simple user and most of the time shall su to achieve my goals.
How can I deal with this?
Note: SELinux is enforced
Example of classic issue:
% id
uid=1004(gabx) gid=1004(gabx) groups=1004(gabx),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
% podman images
Error: could not get runtime: error creating tmpdir /run/user/1001/libpod/tmp: mkdir /run/user/1001: permission denied
% sudo podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/linuxserver/mariadb latest ab6a31f8a171 2 days ago 348 MB
docker.io/library/redis latest 01a52b3b5cd1 12 days ago 102 MB
docker.io/linuxserver/letsencrypt latest 474abe498014 7 weeks ago 272 MB
docker.io/certbot/certbot latest d2bbcca3f60e 2 months ago 117 MB
I couldn’t find on internet anything else than running podman as root, which is of course not a real issue but doesn’t take advantage of the non-root features.
This looks like podman is not allowed to create content in /run/user/1001 while you are running as user 1004
% id
uid=1004(gabx) gid=1004(gabx) groups=1004(gabx),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
% podman images
Error: could not get runtime: error creating tmpdir /run/user/1001/
Which means to me that XDG_RUNTIME_DIR is not being set correctly.
So user gabx XDG_RUNTIME_DIR is set correctly. Now, if I follow you, this directory shall exist for user 1001 and be RW for podman, right? getent passwd or getent group returns nothing about user 1001 or user podman. So I can’t figure out how /run/user/1001 can be created. By who?
Would you mind please gimme some hints?
Thank you in advance
EDIT: shall I add a system user podman with id 1001, or something similar?
Not sure if it has to do with my issue, but root does not have XDG_RUNTIME_DIR set in its environment, and /run/user/0 does not exist.
EDIT1: I think I know how the XDG_RUNTIME_DIR is created by pam_systemd at login, but there is something I don’t understand in my issue. Why complain about /run/user/1001 when the command is run by user 1004? Why not /run/user/1004? Can any anyone explain to me?
EDIT2: I created a new user podx with ID 1001, then tried again the command this way:
gabx@poppy➤➤ ~ % su podx -
Password:
[podx@poppy]/var/home/gabx% podman info
Error: could not get runtime: cannot mkdir /run/user/1004/libpod: mkdir /run/user/1004/libpod: permission denied
Note that 1004 is gabx id.
So it seems my issue doesn’t come from a bad setting/environment value for user gabx as the error is here with another user.
I investigated the $HOME/.config/containers/libpod.conf and realised that the value for tmp_dir was wrong.
For myself, user 1004, I have this line:
tmp_dir = "/run/user/1001/libpod/tmp"
Thus the 1001 story. This is due to a bad behavior from myself as I copied the XDG_CONFIG_HOME from user 1001 to user 1004 as I was not aware of this configuration file.
I thus changed this line to:
tmp_dir = "/run/user/1004/libpod/tmp"
NOTE: I closed the bug report
But I have still another error:
% podman info
Error: could not get runtime: database libpod temporary files directory (tmpdir) "/run/user/1001/libpod/tmp" does not match our libpod temporary files directory (tmpdir) "/run/user/1004/libpod/tmp": database configuration mismatch
How can I solve this? What other file shall I have a look to ? /etc/containers/storage.conf ? Or my home one?
1- I had to fix $HOME/.config/containers/storage.conf line : runroot = "/run/user/1001" to runroot = "/run/user/1004"
2 - run rm -rf ~/.local/share/containers/storage
Now podman info command returns as expected
My issue was copying .config folder from user 1001 to user 1004 without modifying the libpod and storage configuration files.
I had exaclty the same problem under my F31 and podman-1.7.0-2.fc31.x86_64 with a technical user using the uid 1001. The user with the id 1000 did shown this behaviour.
It seems to be, that all users uid=1000 are running into that problem.
The same user with 1000 did not show that behavior.
Another thing: The technical user with 1001 was not visited with a login or ssh-remote login before. I only logged in via su - . This might be a reason like, that the account was not completely initialized.