Bug 2140084

Matt, https://github.com/containers/podman/pull/16416 seems to be not yet applied in the podman-4.3.1 or main branch?

It's been picked up in both branches, but not by that commit (it got grabbed by a vendor of a newer version of the storage library). I can see the actual code change we wanted is present in Podman's vendored c/storage for both main and 4.3.1.

I might be wrong but what I see in podman-4.3.1 is missing at least the essential s390x conditional in vendor/github.com/containers/storage/drivers/overlay/idmapped_utils.go:

@@ -124,7 +125,14 @@ func createIDMappedMount(source, target string, pid int) error {
 // createUsernsProcess forks the current process and creates a user namespace using the specified
 // mappings.  It returns the pid of the new process.
 func createUsernsProcess(uidMaps []idtools.IDMap, gidMaps []idtools.IDMap) (int, func(), error) {
-	pid, _, err := syscall.Syscall6(uintptr(unix.SYS_CLONE), unix.CLONE_NEWUSER|uintptr(unix.SIGCHLD), 0, 0, 0, 0, 0)
+	var pid uintptr
+	var err syscall.Errno
+
+	if runtime.GOARCH == "s390x" {
+		pid, _, err = syscall.Syscall6(uintptr(unix.SYS_CLONE), 0, unix.CLONE_NEWUSER|uintptr(unix.SIGCHLD), 0, 0, 0, 0)
+	} else {
+		pid, _, err = syscall.Syscall6(uintptr(unix.SYS_CLONE), unix.CLONE_NEWUSER|uintptr(unix.SIGCHLD), 0, 0, 0, 0, 0)
+	}
 	if err != 0 {
 		return -1, nil, err
 	}

c/storage 1.43.0 is missing this bit too.

The first c/storage containing this is c/storage 1.44.0.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2758

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days