This looks like `useradd -u 1677798 podman` did not setup usernamespace in /etc/subuid.  This will cause podman running as non-root to fail.

I had already manually added the subuid and subgid values when creating the user:
podman:100000:65536

Are these not correct?

-Thanks

Negative, Dan - this is Unix socket path length restriction, I think. Unix socket paths cannot be longer than 108 characters, and that path comes in at 110 characters.

For most systems, Podman rootless uses /run/user/$UID, which should never present length issues, but if that dir is not present, we fall back to /home/$USER/rundir, which is causing length issues here.

Going to add Giuseppe in CC so he can take a look at this. We've been seeing separate issues with rundir paths, so maybe we can figure this out at the same time.

My sssd user (which is the original user that I was testing this with) does use the /run/user/$UID directory however still fails:

error attaching to container 159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9: failed to connect to container's attach socket: /run/user/16777797/libpod/tmp/socket/159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9/attach: dial unixpacket /run/user/16777797/libpod/tmp/socket/159ef5eda381ab3d32535240e53cc66b8ce84af203cb4823d79634addae3f1f9/attach: connect: invalid argument

Well it worked for me when I did a 
su - podman
$  podman run --rm -it fedora:28 echo "Hello world!"
Trying to pull docker.io/fedora:28...Getting image source signatures
Copying blob sha256:565884f490d9ec697e519c57d55d09e268542ef2c1340fd63262751fa308f047
 82.90 MB / 82.90 MB [======================================================] 4s
Copying config sha256:c582c1438f27b3775e2534abc82d14974ecb00c2c53161d05ec73a73d35e1235
 2.29 KB / 2.29 KB [========================================================] 0s
Writing manifest to image destination
Storing signatures
Hello world!
$ id
uid=1677798(podman) gid=3271(podman) groups=3271(podman) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I have no /run/user/$UID.

Hm. That one is 109 characters... Which should be causing issues. Very strange you're not seeing them Dan.

yes, I think the issue is caused by the path to "attach" being longer than the limit on unix socket paths.

I think we can circumvent the limitation changing temporarily the current directory.  We need to check it in conmon as well.

I did a quick test:

$ mkdir /tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
$ nc -lU /tmp/aaa*/attach
Ncat: ssl_gen_cert(): error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long. QUITTING.
$ (cd /tmp/aaa*; nc -lU attach)

I've opened a PR here: https://github.com/containers/libpod/pull/1704

I see this issue as well:


$ podman --version
podman version 0.10.1.3
$ cat /etc/redhat-release 
Fedora release 28 (Twenty Eight)


#Running as a test user with a low UID:

[phred@islnx001 ~]$ id
uid=5000(phred) gid=5000(phred) groups=5000(phred) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[phred@islnx001 ~]$ podman run  -it rhel echo "Hello world"
Hello world


#Running as my normal user on same system:

[frush@islnx001 ~]$ id
uid=10372892(frush) gid=10372892(frush) groups=10372892(frush),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[frush@islnx001 ~]$ podman run  -it rhel echo "Hello world"
error attaching to container e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1: failed to connect to container's attach socket: /run/user/10372892/libpod/tmp/socket/e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1/attach: dial unixpacket /run/user/10372892/libpod/tmp/socket/e4bdc4836c4ddd2ec78492841c75154f98f388ef434df1c30e010273a2b045c1/attach: connect: invalid argument

So this will be fixed in podman 0.11?

podman-0.11.1-1.gita4adfe5.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c67b523a2d

podman-0.11.1-1.gita4adfe5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-35572aff9e

podman-0.11.1-1.gita4adfe5.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c67b523a2d

podman-0.11.1-1.gita4adfe5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-35572aff9e

podman-0.12.1-1.git7ba215f.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-46a85fa5a7

podman-0.12.1.1-1.git66d3499.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-17c32cf05c

podman-0.12.1.1-1.git66d3499.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e8e19475eb

A Fedora update associated with this bug has been pushed to the stable repository.

A Fedora update associated with this bug has been pushed to the stable repository.