[pkg-go] Bug#977717: podman: Images can't be run with non-root USER after upgrade to 2.1.1 due to wrong permissions of / inside the container

adamo adamoswick at protonmail.com
Sat Dec 19 20:06:26 GMT 2020 

Hi Reinhard,


I was intending to open a bug report after contacting you earlier but someone appears to have beaten me to it!


I'm still able to reproduce this on my end with the following.

---------------------------------------------------------------
root at podman:~# podman run docker.io/alpine /bin/echo "Hello"
Hello
root at podman:~# adduser --uid 1010 bugtest --gecos "" --no-create-home --disabled-login --disabled-password
Adding user `bugtest' ...
Adding new group `bugtest' (1010) ...
Adding new user `bugtest' (1010) with group `bugtest' ...
Not creating home directory `/home/bugtest'.
root at podman:~# podman run --user 1010 docker.io/alpine /bin/echo "Hello"
Error: container_linux.go:370: starting container process caused: apply caps: operation not permitted: OCI runtime permission denied error
---------------------------------------------------------------

This is a fresh image I've pulled and still occurs when running as the user 'nobody' as per your example.

I've also tried the steps taken in your example (with an additional step to run the container) and managed to reproduce the error.

-----------------------------
root at podman:~# cat Dockerfile
FROM docker.io/debian
USER nobody
RUN id
root at podman:~# podman rm -a
root at podman:~# podman build -f Dockerfile
STEP 1: FROM docker.io/debian
Getting image source signatures
Copying blob 6c33745f49b4 done
Copying config 6d6b00c222 done
Writing manifest to image destination
Storing signatures
STEP 2: USER nobody
--> de292136a39
STEP 3: RUN id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
STEP 4: COMMIT
--> b08e47fc955
b08e47fc955ccfe7a3c164e9fbd2068758ee145e39ffcc1a5c95d4a53ad4144d
root at podman:~# podman run b08e47fc955ccfe7a3c164e9fbd2068758ee145e39ffcc1a5c95d4a53ad4144d /bin/echo "Hello"
Error: container_linux.go:370: starting container process caused: apply caps: operation not permitted: OCI runtime permission denied error
-----------------------------

While I don't think it's relevant, I've had this issue with both a VM on Linode (which I've upgraded from Debian 10 to bullseye) and on a local VM which was created directly from a "testing" iso.

------------------------------------------
root at podman:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux bullseye/sid"
NAME="Debian GNU/Linux"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
------------------------------------------

As mentioned, this appears to have been discussed in the issue https://github.com/containers/podman/issues/7747 on Github.

If you need any more information from my end, please let me know.

Thanks for your help with this.

Regards,
Adam.

More information about the Pkg-go-maintainers mailing list