Comments (11)
I am working on it now within #49... and #50.
from podman-static.
@calvin2021y please try again using the new 4.4.1 release.
from podman-static.
I assume you used podman 4.2.1.
It wasn't working within upstream podman for a long time. Though I think I've seen somewhere in the release notes a line saying that it (or sth about it) was fixed but I did not try it again. Does it work with the official fedora-based podman image now or rather did you test that?
from podman-static.
Though, I think nested user namespaces are problematic anyway since you're likely to exceed the uid/gid mapping. Increasing the uid/gid map on the host might map.
from podman-static.
Btw which podman image did you use? (minimal or regular)
Did you run the outer container as --privileged
?
from podman-static.
Thanks for reply.
I use latest with --privileged(not minimal), and fedora-based podman work.
I am aware uid/gid map issue and it will not be a issue.
one more extra question: for rootful inside rootless with --privileged, the iptable and bridge will work like host rootful podman ?
from podman-static.
here is the example for the rootful inside rootless with fedora
cat /proc/self/gid_map
0 1001 1
1 100000 65536
podman run --net slirp4netns -it --rm alpine cat /proc/self/gid_map
0 1000 1
1 1 999
1000 1001 64535
podman run --net slirp4netns -it --rm alpine ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether ce:f1:63:ac:12:d8 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
valid_lft forever preferred_lft forever
inet6 fd00::ccf1:63ff:feac:12d8/64 scope global dynamic flags 100
valid_lft 86400sec preferred_lft 14400sec
inet6 fe80::ccf1:63ff:feac:12d8/64 scope link
valid_lft forever preferred_lft forever
from podman-static.
Looks like something is wrong with the subuid/subgid mapping within the static podman image then. Maybe over the weekend I can spare some time to look into it. A pull request would also be welcome 😉.
for rootful inside rootless with --privileged, the iptable and bridge will work like host rootful podman ?
Yes, mostly: You can perform administrative tasks within your unprivileged user's network namespace (backed by slirp4netns). While you can probably not bridge to any other network devices on the host that are not managed by slirp4netns, it should be possible to do so for slirp4netns-managed network namespaces owned by the same user or rather for multiple child containers of a shared parent container.
from podman-static.
with latest docker image, run podman (non-root) in porman (non-root) get this warinig:
WARN[0000] Additional gid=1 is not present in the user namespace, skip setting it
WARN[0000] Additional gid=2 is not present in the user namespace, skip setting it
WARN[0000] Additional gid=3 is not present in the user namespace, skip setting it
WARN[0000] Additional gid=4 is not present in the user namespace, skip setting it
WARN[0000] Additional gid=6 is not present in the user namespace, skip setting it
WARN[0000] Additional gid=10 is not present in the user namespace, skip setting it
WARN[0000] Additional gid=11 is not present in the user namespace, skip setting it
WARN[0000] Additional gid=20 is not present in the user namespace, skip setting it
WARN[0000] Additional gid=26 is not present in the user namespace, skip setting it
WARN[0000] Additional gid=27 is not present in the user namespace, skip setting it
I need to remove /etc/sub* to try this.
from podman-static.
podman 4.4 released, any plan to upgrade ?
from podman-static.
I am closing the issue since I think the fix worked. Feel free to reopen if that's not the case.
It was partially a duplicate of #40.
from podman-static.
Related Issues (20)
- Error: no such file or directory on arm64 HOT 5
- What would it take to include systemd? HOT 2
- looking forward to auto-restart capability when node reboot HOT 6
- can not access container ports outside host HOT 1
- option for setting up podman without sudo HOT 2
- container-init binary not found on the host: stat /usr/libexec/podman/catatonit: no such file or directory HOT 14
- Include journald in compilation path to log to systemd journal HOT 1
- setting /etc/subuid and /etc/subgid doesn't work well on enterprise systems that use FreeIPA HOT 6
- podman in podman without privileged not work HOT 2
- podman v4.5.1 released HOT 3
- podman v4.6.0 released HOT 2
- Can't limit memory for nested container HOT 1
- cannot clone: Operation not permitted HOT 3
- Is the above version of podman consistent with this link(https://github.com/containers/podman/tree/v4.8.2) HOT 1
- about crun/catatonit HOT 4
- about crun-linux-amd64-disable-systemd HOT 1
- about storage.conf HOT 2
- Deploying ceph, using podman4.8.2, error messag HOT 2
- Add netavark and aardvark-dns HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from podman-static.