podman 4.9.3 on Ubuntu 22
I previously used docker with zero additional configuration in this way:
docker run --interactive --name test-suites --tty --volume=/var/run/docker.sock:/var/run/docker.sock test-suites
Each test suite then used the docker CLI to start its desired application containers to test - and break - however desired. Easy.
Now I am trying to migrate to podman and this does not work out-of-the-box, but worse, the documentation is all over the place and I cannot figure it out.
Here are some invocations I have pieced together:
podman run --interactive --name=test-suites --tty --volume=/run/user/"$(id --user)"/podman/podman.sock:/run/podman/podman.sock test-suites
podman run --interactive --name=test-suites --security-opt label:disable --tty --volume=/run/user/"$(id --user)"/podman/podman.sock:/run/podman/podman.sock test-suites
podman run --interactive --name=test-suites --security-opt label:type:container_runtime_t --tty --volume=/run/user/"$(id --user)"/podman/podman.sock:/run/podman/podman.sock test-suites
volume_podman_socket=/run/user/"$(id --user)"/podman/podman.sock:/run/user/"$(id --user)"/podman/podman.sock
set -e
podman system service --time 0 & # start podman socket if not yet running
podman build --tag test-suites --file execute-test-suites.dockerfile ../..
podman run --interactive --name=test-suites --security-opt label:type:container_runtime_t --tty --userns=keep-id --volume="$volume_podman_socket" test-suites
All fail with the exact same error:
Error: unable to copy from source <base image>: writing blob: adding layer with blob "<sha>"/""/"<sha>": unpacking failed (error: exit status 1; output: potentially insufficient UIDs or GIDs available in user namespace (requested 0:5 for /usr/bin/write): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /usr/bin/write: invalid argument)
podman system migrate terminated instantly with status code 0 and no messages... and changed nothing.
My /etc/subuid and /etc/subgid both contain an entry <username>:100000:65536, which ought to suffice, if truly only 5 were needed!?
I can mount regular directories just fine.
How do I fix this? What is the real error!?
Sources I tried to follow:
- https://www.redhat.com/en/blog/podman-inside-container - As I understand, this would start containers inside containers (like Docker-in-Docker), which is not what I want.
- https://github.com/podman-container-tools/podman/issues/10203 - Exactly my use case, but little information beyond "it should just work".
Note that the claimed path/run/podman.sockis not the path I found on my Ubuntu host, thence I used that one's/run/podman/podman.sock, presuming it is either quoted wrong or has since been moved. - https://wiki.archlinux.org/title/Podman#Set_subuid_and_subgid - How the subuid/subgid files are supposed to look like.
- https://docs.podman.io/en/latest/_static/api.html?version=v4.9 - The only source that claims I have to start a service before the socket can be used. All other sources that mention it at all, treat the socket as already ready-to-use.
- https://docs.podman.io/en/v4.6.1/markdown/options/userns.container.html - Documentation for
--usernsthat specifically claimskeep-idcould completely replace the uid/gid mapping.
Note that I get a HTTP 404 for any newer version of this page, yet the parameter does exist on my podman and does not produce a deprecation message. ... But then, it does not seem to have any effect at all, including the one claimed. - https://www.reddit.com/r/podman/comments/1akij4e/comment/lfijtts/ - Here I got the
--security-opt label:type:container_runtime_tfrom. I understood, that it should make no difference for working in the first place, though.