On 2024-04-07 01:16, Berthold Höllmann wrote:

I had some podman containers run woch the 4.* version, but after upgrading to podman 5.0.1 they fail to start.

,---- | > podman run hello | Error: pasta failed with exit code 1: | Couldn't open network namespace /run/user/1000/netns/netns-254f2095-273b-04d1-9b6f-af01071a4f4e: Permission denied `----

The problem seems to be related to the usage of pasta with the new podman:

,---- | > pasta | Could not open /proc/self/uid_map: Permission denied | Couldn't configure user mappings | Couldn't mount /proc: Permission denied | Failed to join network namespace: Permission denied | Could not open /proc/sys/net/ipv4/ping_group_range: Permission denied | Cannot set ping_group_range, ICMP requests might fail `----

I suspect apparmor for causing these permission problems, but are helpless on how to solve this.

I know nothing of podman or pasta, but I may help you with apparmor. You run, as root, "aa-logprof", and it will tell you what problems it had. For example, in my machine it says (not related at all to podman): Telcontar:~ # aa-logprof Updating AppArmor profiles in /etc/apparmor.d. Reading log entries from /var/log/audit/audit.log. Enforce-mode changes: Profile: /usr/bin/locate Capability: setgid Severity: 9 [1 - include ] 2 - include 3 - include 4 - capability setgid, (A)llow / [(D)eny] / (I)gnore / Audi(t) / Abo(r)t / (F)inish It is saying that "locate" had a problem, and offers 4 solutions. As locate is not related to dovecot, postfix, or samba, I choose "4-allow". Ie, I type "4A[enter]" The program replies: Adding capability setgid, to profile. = Changed Local Profiles = The following local profiles were changed. Would you like to save them? [1 - /usr/bin/locate] (S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t I type S Writing updated profile for /usr/bin/locate. Telcontar:~ # I can't point you to a documentation on using aa-logprof and the different questions/answers it gives. The procedure is: 1) You run your application. 2) run aa-logprof. 3) repeat until aa-logprof comes out clean. https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-apparmor-comman... https://gitlab.com/apparmor/apparmor/-/wikis/home https://gitlab.com/apparmor/apparmor/-/wikis/Profiling_with_tools -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)

Hi Berthold, On 07.04.24 01:16 Berthold Höllmann wrote:

,---- | > pasta | Could not open /proc/self/uid_map: Permission denied | Couldn't configure user mappings

Can you check if your user has subids defined? This happens on user creation (local users), but just for some years. So if your user / system is older, you might be missing these. /etc/subgid /etc/subuid There should be on or more entries like the following: some-username:100000:65536 Logging out (or rebooting) after making changes is necessary, so those are active for your user. Kind Regards, Johannes