Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#77825 - [podman] rootless fail with permission errors
Attached to Project:
Community Packages
Opened by Leonidas Spyropoulos (inglor) - Sunday, 12 March 2023, 14:52 GMT
Last edited by Toolybird (Toolybird) - Thursday, 04 May 2023, 07:35 GMT
Opened by Leonidas Spyropoulos (inglor) - Sunday, 12 March 2023, 14:52 GMT
Last edited by Toolybird (Toolybird) - Thursday, 04 May 2023, 07:35 GMT
|
DetailsDescription:
podman rootless fails with permissions errors during some pacman operations. I've confirmed this started when 4.4.x hit the repos. The behaviour is not the same with 4.3.x package. Tested with podman packages from archive. Additional info: * package version(s) 4.4.2-1 * config and/or log files etc. * link to upstream bug report, if any ❯ podman info host: arch: amd64 buildahVersion: 1.29.0 cgroupControllers: - cpu - memory - pids cgroupManager: systemd cgroupVersion: v2 conmon: package: /usr/bin/conmon is owned by conmon 1:2.1.7-1 path: /usr/bin/conmon version: 'conmon version 2.1.7, commit: f633919178f6c8ee4fb41b848a056ec33f8d707d' cpuUtilization: idlePercent: 95.6 systemPercent: 0.64 userPercent: 3.77 cpus: 32 distribution: distribution: arch version: unknown eventLogger: journald hostname: tiamat idMappings: gidmap: - container_id: 0 host_id: 100 size: 1 - container_id: 1 host_id: 100000 size: 65536 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 65536 kernel: 6.2.3-zen2-1-zen linkmode: dynamic logDriver: journald memFree: 4111417344 memTotal: 33551384576 networkBackend: netavark ociRuntime: name: crun package: /usr/bin/crun is owned by crun 1.8.1-1 path: /usr/bin/crun version: |- crun version 1.8.1 commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30 rundir: /run/user/1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL os: linux remoteSocket: exists: true path: /run/user/1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID rootless: true seccompEnabled: true seccompProfilePath: /etc/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.0-1 version: |- slirp4netns version 1.2.0 commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383 libslirp: 4.7.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.4 swapFree: 25760358400 swapTotal: 25769795584 uptime: 30h 9m 26.00s (Approximately 1.25 days) plugins: authorization: null log: - k8s-file - none - passthrough - journald network: - bridge - macvlan volume: - local registries: docker.io: Blocked: false Insecure: false Location: docker.io MirrorByDigestOnly: false Mirrors: null Prefix: docker.io PullFromMirror: "" search: - docker.io store: configFile: /home/inglor/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: btrfs graphOptions: {} graphRoot: /home/inglor/.local/share/containers/storage graphRootAllocated: 536870912000 graphRootUsed: 352667541504 graphStatus: Build Version: Btrfs v6.1.3 Library Version: "102" imageCopyTmpDir: /var/tmp imageStore: number: 0 runRoot: /home/inglor/.local/share/containers/storage transientStore: false volumePath: /home/inglor/.local/share/containers/storage/volumes version: APIVersion: 4.4.2 Built: 1677255177 BuiltTime: Fri Feb 24 16:12:57 2023 GitCommit: 74afe26887f814d1c39925a1624851ef3590e79c-dirty GoVersion: go1.20.1 Os: linux OsArch: linux/amd64 Version: 4.4.2 Steps to reproduce: Using the attached tgz trying to build it results in some pacman operation to fail (like the mariadb package user creation or pacman keyring operation) The error reads ``` :: Processing package changes... reinstalling archlinux-keyring... could not change the root directory (Operation not permitted) [..] ``` 
podman-test.tgz
(0.4 KiB)
|
This task depends upon
Closed by Toolybird (Toolybird)
Thursday, 04 May 2023, 07:35 GMT
Reason for closing: Fixed
Additional comments about closing: See final comment
Thursday, 04 May 2023, 07:35 GMT
Reason for closing: Fixed
Additional comments about closing: See final comment
As this does not really look like a packaging issue (nothing has changed substantially between the versions in question): Have you opened an upstream ticket about this?
[1]: https://blog.podman.io/2022/12/dropping-capabilities-making-containers-more-secure/