You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When trying to make use of Podman's automatic user namespace mapping with --userns=auto, APT fails to run inside the container. I'm starting containers as the root user.
# podman run --userns auto -it docker.io/library/debian:bullseye-slim bash
root@397626021d9a:/# apt update
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
Reading package lists... Done
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (22: Invalid argument)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
Digging a bit further into this, I noticed that APT uses a dedicated _apt user with nogroup as its primary group.
When manually specifying the size of 65535, APT works inside the container.
I also tried 65534, but that resulted in the same error as above.
root@nomadwodev01:~# podman run --userns auto:size=65535 -it docker.io/library/debian:bullseye-slim bash
root@854851aa6707:/# apt update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
Get:5 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [252 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [17.3 kB]
Fetched 8661 kB in 1s (7956 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
I think it might be related to the following fix: #1473.
In our case, the above workaround is sufficient for now, since we have lots of ID's we can allocate.
Feel free to let me know if you'd need more information.
The text was updated successfully, but these errors were encountered:
Environment
UID ranges taken from: https://github.com/systemd/systemd/blob/main/docs/UIDS-GIDS.md#summary
Description
When trying to make use of Podman's automatic user namespace mapping with
--userns=auto
, APT fails to run inside the container. I'm starting containers as theroot
user.Digging a bit further into this, I noticed that APT uses a dedicated
_apt
user withnogroup
as its primary group.At first glance, it seems like the auto-detection mechanism doesn't allocate enough ID's for the container.
When manually specifying the size of
65535
, APT works inside the container.I also tried
65534
, but that resulted in the same error as above.I think it might be related to the following fix: #1473.
In our case, the above workaround is sufficient for now, since we have lots of ID's we can allocate.
Feel free to let me know if you'd need more information.
The text was updated successfully, but these errors were encountered: