[arch-general] cgroups_v2 and rootless podman

samirnassar at posteo.de samirnassar at posteo.de
Fri Mar 19 10:40:56 UTC 2021 

Hello,

I am trying to make rootless podman work based off of: 
https://wiki.archlinux.org/index.php/Podman#Rootless_Podman and I am 
wondering if I am missing something or if there might be old information 
in the wiki pages: https://wiki.archlinux.org/index.php/Podman and 
https://wiki.archlinux.org/index.php/Cgroups

https://wiki.archlinux.org/index.php/Podman#Rootless_Podman says: 
Rootless Podman requires using cgroups v2. See cgroups on how to check 
whether v1 (default) or v2 is used and how to switch to cgroups v2. So I 
use the instructions at: 
https://wiki.archlinux.org/index.php/Cgroups#Switching_to_cgroups_v2

So here is what I did:

from /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0 nomodeseti 
systemd.unified_cgroup_hierarchy=1"

$ ls -al /sys/fs/cgroup
total 0
dr-xr-xr-x 11 root root 0 Mar 19 10:56 .
drwxr-xr-x  7 root root 0 Mar 19 10:56 ..
-r--r--r--  1 root root 0 Mar 19 10:56 cgroup.controllers
-rw-r--r--  1 root root 0 Mar 19 10:57 cgroup.max.depth
-rw-r--r--  1 root root 0 Mar 19 10:57 cgroup.max.descendants
-rw-r--r--  1 root root 0 Mar 19 10:56 cgroup.procs
-r--r--r--  1 root root 0 Mar 19 10:57 cgroup.stat
-rw-r--r--  1 root root 0 Mar 19 10:56 cgroup.subtree_control
-rw-r--r--  1 root root 0 Mar 19 10:57 cgroup.threads
-rw-r--r--  1 root root 0 Mar 19 10:57 cpu.pressure
-r--r--r--  1 root root 0 Mar 19 10:57 cpuset.cpus.effective
-r--r--r--  1 root root 0 Mar 19 10:57 cpuset.mems.effective
...

I also set up /etc/subuid and /etc/subgid :

$ cat /etc/subuid
administrator:100000:65536
$ cat /etc/subgid
administrator:100000:65536

Trying to get podman to work :

$ podman info
Error: cannot setup namespace using newuidmap: exit status 1

$ podman system migrate
Error: cannot setup namespace using newuidmap: exit status 1

When I remove /etc/subuid and /etc/subgid , I get:

$ podman info --debug
ERRO[0000] cannot find UID/GID for user administrator: open /etc/subuid: 
no such file or directory - check rootless mode in man pages.
WARN[0000] using rootless single mapping into the namespace. This might 
break some images. Check /etc/subuid and /etc/subgid for adding sub*ids
...

Then I created empty /etc/subuid and /etc/subgid , and I got:

$ podman info --debug
host:
   arch: amd64
   buildahVersion: 1.19.4
   cgroupManager: systemd
   cgroupVersion: v2
   conmon:
     package: /usr/bin/conmon is owned by conmon 1:2.0.27-1
     path: /usr/bin/conmon
     version: 'conmon version 2.0.27, commit: 
65fad4bfcb250df0435ea668017e643e7f462155'
   cpus: 1
   distribution:
     distribution: arch
     version: unknown
   eventLogger: journald
   hostname: archlinux-minimal
   idMappings:
     gidmap:
     - container_id: 0
       host_id: 60338
       size: 1
     uidmap:
     - container_id: 0
       host_id: 60338
       size: 1
   kernel: 5.11.7-arch1-1
   linkmode: dynamic
   memFree: 1745731584
   memTotal: 2026967040
   ociRuntime:
     name: crun
     package: /usr/bin/crun is owned by crun 0.18-1
     path: /usr/bin/crun
     version: |-
       crun version 0.18
       commit: 808420efe3dc2b44d6db9f1a3fac8361dde42a95
       spec: 1.0.0
       +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
   os: linux
   remoteSocket:
     path: /run/user/60338/podman/podman.sock
   security:
     apparmorEnabled: false
     capabilities: 
CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
     rootless: true
     seccompEnabled: true
     selinuxEnabled: false
   slirp4netns:
     executable: /usr/bin/slirp4netns
     package: /usr/bin/slirp4netns is owned by slirp4netns 1.1.9-1
     version: |-
       slirp4netns version 1.1.9
       commit: 4e37ea557562e0d7a64dc636eff156f64927335e
       libslirp: 4.4.0
       SLIRP_CONFIG_VERSION_MAX: 3
       libseccomp: 2.5.1
   swapFree: 0
   swapTotal: 0
   uptime: 37m 10.76s
registries: {}
store:
   configFile: /home/administrator/.config/containers/storage.conf
   containerStore:
     number: 5
     paused: 0
     running: 0
     stopped: 5
   graphDriverName: overlay
   graphOptions:
     overlay.mount_program:
       Executable: /usr/bin/fuse-overlayfs
       Package: /usr/bin/fuse-overlayfs is owned by fuse-overlayfs 
1.4.0-1
       Version: |-
         fusermount3 version: 3.10.2
         fuse-overlayfs: version 1.4
         FUSE library version 3.10.2
         using FUSE kernel interface version 7.31
   graphRoot: /home/administrator/.local/share/containers/storage
   graphStatus:
     Backing Filesystem: btrfs
     Native Overlay Diff: "false"
     Supports d_type: "true"
     Using metacopy: "false"
   imageStore:
     number: 1
   runRoot: /run/user/60338/containers
   volumePath: 
/home/administrator/.local/share/containers/storage/volumes
version:
   APIVersion: 3.0.0
   Built: 1613921386
   BuiltTime: Sun Feb 21 16:29:46 2021
   GitCommit: c640670e85c4aaaff92741691d6a854a90229d8d
   GoVersion: go1.16
   OsArch: linux/amd64
   Version: 3.0.1

$ pacman -Qs podman
local/podman 3.0.1-2
     Tool and library for running OCI-based containers in pods
$ pacman -Qs crun
local/crun 0.18-1
     A fast and lightweight fully featured OCI runtime and C library for 
running containers

$ uname -a
Linux archlinux-minimal 5.11.7-arch1-1 #1 SMP PREEMPT Wed, 17 Mar 2021 
16:59:58 +0000 x86_64 GNU/Linux

If you have any insights or ideas I would be happy if you shared them.

Regards,
Samir Nassar

More information about the arch-general mailing list