Podman errors and Buildah warnings when using non-root container user

Summary

I am unable to use podman as a non-root user within the rootless-podman container.

Steps to reproduce

Simply try to run an image using registry1.dso.mil/ironbank/ironbank-pipelines/rootless-podman:0.1.

$ podman run --rm -it registry1.dso.mil/ironbank/ironbank-pipelines/rootless-podman:0.1
[rootless-podman@d2672bd380a4 /]$ podman run --rm -it docker.io/hello-world
Error: Cannot connect to the Podman socket, make sure there is a Podman REST API service running.: cannot setup namespace using newuidmap: exit status 1

Buildah also gives some warnings related to newgidmap and newuidmap.

[rootless-podman@d2672bd380a4 ~]$ buildah images
WARN error running newgidmap: exit status 1: newgidmap: write to gid_map failed: Operation not permitted
WARN falling back to single mapping
WARN error running newuidmap: exit status 1: newuidmap: write to uid_map failed: Operation not permitted
WARN falling back to single mapping
REPOSITORY                      TAG      IMAGE ID       CREATED         SIZE
<none>                          <none>   d331ef77182f   8 minutes ago   18.2 KB
docker.io/library/hello-world   latest   bf756fb1ae65   14 months ago   20 KB

What is the current bug behavior?

It gives an immediate error message.

Error: Cannot connect to the Podman socket, make sure there is a Podman REST API service running.: cannot setup namespace using newuidmap: exit status 1

What is the expected correct behavior?

podman info and buildah info should run with no errors or warnings.

Relevant logs and/or screenshots

Here's some debug info when trying to get the podman info.

$ podman --version
$ podman run --rm -it registry1.dso.mil/ironbank/ironbank-pipelines/rootless-podman:0.1
[rootless-podman@d2672bd380a4 /]$ podman info --log-level=DEBUG
INFO[0000] podman filtering at log level debug
DEBU[0000] Called info.PersistentPreRunE(podman info --log-level=DEBUG)
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf"
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.33.1 Annotations:[] CgroupNS:host Cgroups:enabled DefaultCapabilities:[NET_RAW CHOWN DAC_OVERRIDE FOWNER FSETID KILL NET_BIND_SERVICE SETFCAP SETGID SETPCAP SETUID SYS_CHROOT] DefaultSysctls:[net.ipv4.ping_group_range=0 0] DefaultUlimits:[nproc=32768:32768] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableKeyring:true EnableLabeling:false Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:true Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{ImageBuildFormat:oci CgroupCheck:false CgroupManager:cgroupfs ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/tmp/run-1000/libpod/tmp/events/events.log EventsLogger:file HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand: InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NetworkCmdOptions:[] NoPivotRoot:false NumLocks:2048 OCIRuntime:runc OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/etc/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/rootless-podman/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/tmp/run-1000/libpod/tmp VolumePath:/home/rootless-podman/.local/share/containers/storage/volumes VolumePlugins:map[]} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/rootless-podman/.config/cni/net.d}}
DEBU[0000] Using conmon: "/usr/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/rootless-podman/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/rootless-podman/.local/share/containers/storage
DEBU[0000] Using run root /tmp/podman-run-1000/containers
DEBU[0000] Using static dir /home/rootless-podman/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /tmp/run-1000/libpod/tmp
DEBU[0000] Using volume path /home/rootless-podman/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] Not configuring container store
DEBU[0000] Initializing event backend file
INFO[0000] Error initializing configured OCI runtime crun: no valid executable found for OCI runtime crun: invalid argument
DEBU[0000] using runtime "/usr/bin/runc"
INFO[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] error from newuidmap: newuidmap: write to uid_map failed: Operation not permitted
Error: Cannot connect to the Podman socket, make sure there is a Podman REST API service running.: cannot setup namespace using newuidmap: exit status 1

Some similar warnings show up for buildah followed by the requested info.

[rootless-podman@d2672bd380a4 /]$ buildah info
WARN error running newgidmap: exit status 1: newgidmap: write to gid_map failed: Operation not permitted
WARN falling back to single mapping
WARN error running newuidmap: exit status 1: newuidmap: write to uid_map failed: Operation not permitted
WARN falling back to single mapping
{
    "host": {
        "CgroupVersion": "v1",
        "Distribution": {
            "distribution": "\"rhel\"",
            "version": "8.3"
        },
        "MemFree": 7830372352,
        "MemTotal": 13370765312,
        "OCIRuntime": "runc",
        "SwapFree": 4294967296,
        "SwapTotal": 4294967296,
        "arch": "amd64",
        "cpus": 8,
        "hostname": "d2672bd380a4",
        "kernel": "4.19.128-microsoft-standard",
        "os": "linux",
        "rootless": true,
        "uptime": "66h 1m 13.87s (Approximately 2.75 days)"
    },
    "store": {
        "ContainerStore": {
            "number": 0
        },
        "GraphDriverName": "overlay",
        "GraphOptions": [
            "overlay.mount_program=/usr/bin/fuse-overlayfs"
        ],
        "GraphRoot": "/home/rootless-podman/.local/share/containers/storage",
        "GraphStatus": {
            "Backing Filesystem": "<unknown>",
            "Native Overlay Diff": "false",
            "Supports d_type": "true",
            "Using metacopy": "false"
        },
        "ImageStore": {
            "number": 0
        },
        "RunRoot": "/var/tmp/containers-user-1000/containers"
    }
}

Possible fixes

I'm unsure of possible fixes. I've tried reinstalling shadow-utils with no luck. Something that might be helpful is if you run the image as a root user with -u root option, it works fine.

$ podman run --rm -it -u root registry1.dso.mil/ironbank/ironbank-pipelines/rootless-podman:0.1
[root@cfa029e2e5b9 /]# podman info
host:
  arch: amd64
  buildahVersion: 1.19.2
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.25-1.module_el8.4.0+673+eabfc99d.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: 897f4ebd69b9e9c725621fabf1d7c918ef635a68'
  cpus: 8
  distribution:
    distribution: '"rhel"'
    version: "8.3"
  eventLogger: file
  hostname: cfa029e2e5b9
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.19.128-microsoft-standard
  linkmode: dynamic
  memFree: 7846326272
  memTotal: 13370765312
  ociRuntime:
    name: runc
    package: runc-1.0.0-70.rc92.module_el8.4.0+673+eabfc99d.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.2-dev'
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 4294967296
  swapTotal: 4294967296
  uptime: 66h 15m 57.15s (Approximately 2.75 days)
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus: {}
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1612303593
  BuiltTime: Tue Feb  2 22:06:33 2021
  GitCommit: ""
  GoVersion: go1.15.7
  OsArch: linux/amd64
  Version: 3.0.0-dev

Defintion of Done

• Bug has been identified and corrected within the container

/cc @ironbank-notifications/bug