Users doing: $ buildah unshare # ctr=$(buildah from scratch) # mnt=$(buildah mount $ctr) # dnf -y install --installroot=$mnt --releasever=8 httpd Blows up, because the RedHat Subcription manager plugin attempts to write to paths in /run and /var/lib that are not writable within the user namespace. I think we have to work with the subscription manager people to follow XDG_RUNTIME_DIR and understand that they are running in a rootless user namespace environment, to make this work. This works fine with Fedora and Centos, it only seems to blow up in RHEL, because of subscription manager.
The issue here is the subscription manager realizing that it is running within a rootless environment. The subscription manager is assuming it is running as root, where it should be fully able to run in non root environments.
BTW I am seeing the same symptoms, subscription manager thinks it is running as root in a user namespace and attempts to write to /run as if it was real root. It should be using XDG_RUNTIME_DIR if it is set, and then the user would be able to write the content. XDG_RUNTIME_DIR=/run/user/$UID
Reproducing the bug on a SUBMAN version: [testuser@kvm-01-guest24 ~]$ subscription-manager version You are attempting to run "subscription-manager" which requires administrative privileges, but more information is needed in order to do so. Authenticating as "root" Password: server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.28.37-1.el8 Reproducing the bug: [testuser@kvm-01-guest24 ~]$ buildah unshare [root@kvm-01-guest24 ~]# ctr=$(buildah from scratch) [root@kvm-01-guest24 ~]# mnt=$(buildah mount $ctr) [root@kvm-01-guest24 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd 2023-06-08 13:53:55,900 [ERROR] dnf:19128:MainThread @logutil.py:236 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr Updating Subscription Management repositories. Unable to read consumer identity 2023-06-08 13:53:55,901 [ERROR] dnf:19128:MainThread @lock.py:152 - [Errno 13] Permission denied: '/run/rhsm/cert.pid' Traceback (most recent call last): File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire f.open() File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open self.fp = open(self.path, 'w') PermissionError: [Errno 13] Permission denied: '/run/rhsm/cert.pid' could not create lock This system is not registered with an entitlement server. You can use subscription-manager to register. ^^ Errors appeared -> bug reproduced Pre-verifying on version: [testuser@kvm-01-guest24 ~]$ subscription-manager version You are attempting to run "subscription-manager" which requires administrative privileges, but more information is needed in order to do so. Authenticating as "root" Password: server type: This system is currently not registered. subscription management server: 4.2.15-1 subscription management rules: 5.43 subscription-manager: 1.28.38+6.g76d589b9a-1.git.0.e3e938d Verification process: [testuser@kvm-01-guest24 ~]$ buildah unshare [root@kvm-01-guest24 ~]# ctr=$(buildah from scratch) [root@kvm-01-guest24 ~]# mnt=$(buildah mount $ctr) [root@kvm-01-guest24 ~]# dnf -y install --installroot=$mnt --releasever=8 httpd Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. beaker-AppStream 50 MB/s | 8.1 MB 00:00 beaker-AppStream-debuginfo 43 MB/s | 6.0 MB 00:00 beaker-BaseOS 27 MB/s | 2.4 MB 00:00 beaker-BaseOS-debuginfo 22 MB/s | 1.8 MB 00:00 beaker-CRB 25 MB/s | 2.3 MB 00:00 beaker-CRB-debuginfo 99 kB/s | 529 kB 00:05 beaker-HighAvailability 8.1 MB/s | 600 kB 00:00 beaker-HighAvailability-debuginfo 306 kB/s | 18 kB 00:00 beaker-NFV 12 MB/s | 886 kB 00:00 beaker-NFV-debuginfo 4.9 MB/s | 329 kB 00:00 beaker-RT 12 MB/s | 884 kB 00:00 beaker-RT-debuginfo 5.3 MB/s | 329 kB 00:00 beaker-ResilientStorage 8.7 MB/s | 603 kB 00:00 beaker-ResilientStorage-debuginfo 326 kB/s | 18 kB 00:00 beaker-SAP 136 kB/s | 8.0 kB 00:00 beaker-SAP-debuginfo 244 kB/s | 13 kB 00:00 beaker-SAPHANA 200 kB/s | 13 kB 00:00 beaker-SAPHANA-debuginfo 203 kB/s | 13 kB 00:00 beaker-harness 333 kB/s | 524 kB 00:01 beaker-tasks 432 kB/s | 5.8 MB 00:13 Dependencies resolved. ================================================================================================================================================== Package Architecture Version Repository Size ================================================================================================================================================== Installing: httpd x86_64 2.4.37-56.module+el8.8.0+18758+b3a9c8da.6 beaker-AppStream 1.4 M ... redhat-release-8.9-0.0.el8.x86_64 redhat-release-eula-8.9-0.0.el8.x86_64 rpm-4.14.3-26.el8.x86_64 rpm-libs-4.14.3-26.el8.x86_64 sed-4.5-5.el8.x86_64 setup-2.12.2-9.el8.noarch shadow-utils-2:4.6-18.el8.x86_64 shared-mime-info-1.9-3.el8.x86_64 sqlite-libs-3.26.0-18.el8_8.x86_64 systemd-239-75.el8.x86_64 systemd-libs-239-75.el8.x86_64 systemd-pam-239-75.el8.x86_64 systemd-udev-239-75.el8.x86_64 trousers-0.3.15-1.el8.x86_64 trousers-lib-0.3.15-1.el8.x86_64 tzdata-2023c-1.el8.noarch util-linux-2.32.1-42.el8_8.x86_64 which-2.21-20.el8.x86_64 xkeyboard-config-2.28-1.el8.noarch xz-5.2.4-4.el8_6.x86_64 xz-libs-5.2.4-4.el8_6.x86_64 zlib-1.2.11-25.el8.x86_64 Complete! ^^ pre-verification PASSED