Bug 1768355

Summary:	Podman cannot chdir: Permission denied in rootless mode
Product:	Red Hat Enterprise Linux 7	Reporter:	Marek Vesely <marek.vesely>
Component:	podman	Assignee:	Matthew Heon <mheon>
Status:	CLOSED NOTABUG	QA Contact:	Martin Jenner <mjenner>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	7.7	CC:	bbaude, dwalsh, gscrivan, jligon, jnovy, lsm5, mheon, tsweeney, umohnani
Target Milestone:	rc	Keywords:	Extras
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-11-12 12:45:17 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marek Vesely 2019-11-04 07:48:05 UTC

Description of problem:
Podman is not able to execute in rootless mode. It is writing: cannot chdir: Permission denied.

Version-Release number of selected component (if applicable):
Version:            1.4.4
RemoteAPI Version:  1
Go Version:         go1.10.3
OS/Arch:            linux/amd64

How reporoducible:
always

Steps to Reproduce:
1. Install Podman, create special user and group and add lines to /etc/subuid and /etc/subgid:
teamcityagent:200000:65536
2. Configure sysctl: sysctl user.max_user_namespaces=28633
3. execute command: "podman unshare cat /proc/self/uid_map" under teamcityagent user.

Actual results:
$ podman unshare cat /proc/self/uid_map
cannot chdir: Permission denied
0 0 4294967295

Expected results:
$ podman unshare cat /proc/self/uid_map
0 1001 1
1 100000 65536
65537 165536 65536
or similar

Additional info:
I followed steps from WIKI: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/managing_containers/finding_running_and_building_containers_with_podman_skopeo_and_buildah#set_up_for_rootless_containers . This is a VM in Vcenter running on CentOS 7.7.1908

Output from podman info --debug:
debug:
  compiler: gc
  git commit: ""
  go version: go1.10.3
  podman version: 1.4.4
host:
  BuildahVersion: 1.9.0
  Conmon:
    package: podman-1.4.4-4.el7.centos.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 0.3.0, commit: unknown'
  Distribution:
    distribution: '"centos"'
    version: "7"
  MemFree: 1769316352
  MemTotal: 8200630272
  OCIRuntime:
    package: runc-1.0.0-65.rc8.el7.centos.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 8
  hostname: teamcity-iot-01.triglav.local
  kernel: 3.10.0-1062.1.2.el7.x86_64
  os: linux
  rootless: false
  uptime: 576h 17m 55s (Approximately 24.00 days)
registries:
  blocked: null
  insecure: null
  search:
  - registry.access.redhat.com
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 1
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 1
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Comment 2 Matthew Heon 2019-11-04 14:28:38 UTC

Can you try a `podman system migrate` and see if that resolves the error?

If that fails, try disabling SELinux with `setenforce 0` and then trying again to see if SELinux is denying the action.

Comment 3 Daniel Walsh 2019-11-04 16:48:44 UTC

Also what file system is your homedir?

Comment 4 Marek Vesely 2019-11-05 07:06:30 UTC

podman system migrate and disabling of SELinux didnt fixed this issue. There is still the same error.

homedir is XFS:
/dev/mapper/centos_teamcity--iot--home-home      xfs      1017M  495M  522M  49% /home

and mounted like this:
/dev/mapper/centos_teamcity--iot--home-home on /home type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

Comment 5 Giuseppe Scrivano 2019-11-08 14:33:25 UTC

what is the working directory where you are running the command (please share the output of `pwd`)?

How did you create the user session? Have you used `su`?

Comment 6 Marek Vesely 2019-11-11 06:26:41 UTC

OMG, Yes you are correct. I was in home directory of different user, because i supposed that configuration of storage.conf is hardly configured to home dir of teamcityagent user.

Comment 7 Daniel Walsh 2019-11-11 15:20:19 UTC

So can I close this bugzilla?

Comment 8 Marek Vesely 2019-11-12 05:37:28 UTC

Yes you can, thank you!