Can't get podman 5.0.1 to work
I had some podman containers run woch the 4.* version, but after upgrading to podman 5.0.1 they fail to start. ,---- | > podman run hello | Error: pasta failed with exit code 1: | Couldn't open network namespace /run/user/1000/netns/netns-254f2095-273b-04d1-9b6f-af01071a4f4e: Permission denied `---- The problem seems to be related to the usage of pasta with the new podman: ,---- | > pasta | Could not open /proc/self/uid_map: Permission denied | Couldn't configure user mappings | Couldn't mount /proc: Permission denied | Failed to join network namespace: Permission denied | Could not open /proc/sys/net/ipv4/ping_group_range: Permission denied | Cannot set ping_group_range, ICMP requests might fail `---- I suspect apparmor for causing these permission problems, but are helpless on how to solve this.
On 2024-04-07 01:16, Berthold Höllmann wrote:
I had some podman containers run woch the 4.* version, but after upgrading to podman 5.0.1 they fail to start.
,---- | > podman run hello | Error: pasta failed with exit code 1: | Couldn't open network namespace /run/user/1000/netns/netns-254f2095-273b-04d1-9b6f-af01071a4f4e: Permission denied `----
The problem seems to be related to the usage of pasta with the new podman:
,---- | > pasta | Could not open /proc/self/uid_map: Permission denied | Couldn't configure user mappings | Couldn't mount /proc: Permission denied | Failed to join network namespace: Permission denied | Could not open /proc/sys/net/ipv4/ping_group_range: Permission denied | Cannot set ping_group_range, ICMP requests might fail `----
I suspect apparmor for causing these permission problems, but are helpless on how to solve this.
I know nothing of podman or pasta, but I may help you with apparmor.
You run, as root, "aa-logprof", and it will tell you what problems it had.
For example, in my machine it says (not related at all to podman):
Telcontar:~ # aa-logprof
Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/audit/audit.log.
Enforce-mode changes:
Profile: /usr/bin/locate
Capability: setgid
Severity: 9
[1 - include
"Carlos E. R."
On 2024-04-07 01:16, Berthold Höllmann wrote:
I had some podman containers run woch the 4.* version, but after upgrading to podman 5.0.1 they fail to start. ,---- | > podman run hello | Error: pasta failed with exit code 1: | Couldn't open network namespace /run/user/1000/netns/netns-254f2095-273b-04d1-9b6f-af01071a4f4e: Permission denied `---- The problem seems to be related to the usage of pasta with the new podman: ,---- | > pasta | Could not open /proc/self/uid_map: Permission denied | Couldn't configure user mappings | Couldn't mount /proc: Permission denied | Failed to join network namespace: Permission denied | Could not open /proc/sys/net/ipv4/ping_group_range: Permission denied | Cannot set ping_group_range, ICMP requests might fail `---- I suspect apparmor for causing these permission problems, but are helpless on how to solve this.
I know nothing of podman or pasta, but I may help you with apparmor.
You run, as root, "aa-logprof", and it will tell you what problems it had.
For example, in my machine it says (not related at all to podman):
Telcontar:~ # aa-logprof
aa-logprof solved the problem for me, thank you.
Hi Berthold, On 07.04.24 01:16 Berthold Höllmann wrote:
,---- | > pasta | Could not open /proc/self/uid_map: Permission denied | Couldn't configure user mappings
Can you check if your user has subids defined? This happens on user creation (local users), but just for some years. So if your user / system is older, you might be missing these. /etc/subgid /etc/subuid There should be on or more entries like the following: some-username:100000:65536 Logging out (or rebooting) after making changes is necessary, so those are active for your user. Kind Regards, Johannes
participants (3)
-
Berthold Höllmann
-
Carlos E. R.
-
Johannes Kastl