-
I am building a container based on quay.io/podman/stable, with this Dockerfile FROM quay.io/podman/stable
RUN dnf install -y git nodejs && \
dnf install -y python3-pip && \
dnf clean all && \
rm -rf /var/cache/yum
RUN pip install podman-compose
USER podman
WORKDIR /home/podman Runnning a container out of this image, and pulling and running the hello-world image from it, works. However, if I try to run the same image from a docker-compose image, it fails. This is how I run the outer container: podman run --rm -it --device /dev/fuse --device /dev/net/tun -v /proc:/proc --security-opt label=disable podman:extended sh These are the commands executed by podman-compose, which I run manually now podman pod create --name=pod_test --infra=false --share=
podman network create --label io.podman.compose.project=test --label com.docker.compose.project=test test_default
podman create --name=test_hello_1 --pod=pod_test --label io.podman.compose.config-hash=5e36e74a382d7051c6fcb79d725d6225281563a8a995178f4030ef95c901375a --label io.podman.compose.project=test --label io.podman.compose.version=1.2.0 --label PODMAN_SYSTEMD_UNIT=podman-compose@test.service --label com.docker.compose.project=test --label com.docker.compose.project.working_dir=/test --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=hello --network=test_default --network-alias=hello hello
podman start -a test_hello_1 Finally, this is the error I am getting: ERRO[0000] running `/usr/bin/newuidmap 12 0 1000 1 1 1 999 1000 1001 64535`: newuidmap: Target process is owned by a different user: uid:1000 pw_uid:1000 st_uid:65534, gid:1000 pw_gid:1000 st_gid:65534
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
ERRO[0000] running `/usr/bin/newuidmap 22 0 1000 1 1 1 999 1000 1001 64535`: Could not open proc directory for target 22: No such file or directory
usage: newuidmap [<pid>|fd:<pidfd>] <uid> <loweruid> <count> [ <uid> <loweruid> <count> ] ...
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
ERRO[0000] running `/usr/bin/newuidmap 33 0 1000 1 1 1 999 1000 1001 64535`: Could not open proc directory for target 33: No such file or directory
usage: newuidmap [<pid>|fd:<pidfd>] <uid> <loweruid> <count> [ <uid> <loweruid> <count> ] ...
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
ERRO[0000] running `/usr/bin/newuidmap 43 0 1000 1 1 1 999 1000 1001 64535`: newuidmap: Target process is owned by a different user: uid:1000 pw_uid:1000 st_uid:65534, gid:1000 pw_gid:1000 st_gid:65534
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1 Should I add the --privileged flag to the run of the outer container then all works, but... yeah... I'd really prefer not to have to switch to that. I assume what I am doing is not rocket science: I hope somebody has resolved this problems before, but I do not find any document explaining how to proceed. Does anybody here have a clue on how to solve this issue? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
this is wrong since the Please try with |
Beta Was this translation helpful? Give feedback.
this is wrong since the
/proc
refers to the host pid namespace, not the new PID namespace inside the container.Please try with
--security-opt=unmask=/proc