Can I run bash rootless with `podman`?

Question

The simple scenario is this; in this tutorial:

• Using podman without sudo
  • How to Install and Use Podman on Ubuntu 20.04
• update #1 ... The problem appears related to correctly activating cgroups2 on Ubuntu.

To run bash in an Ubuntu container without needing root/sudo privilege(s). The command line, is:

podman run --rm --interactive --tty ubuntu bash

This command bring the following result:

  $ podman run --rm --interactive --tty ubuntu:20.10 bash
 Completed short name "ubuntu" with unqualified-search registries (origin: /etc/containers/registries.conf)
 Trying to pull docker.io/library/ubuntu:20.10...
 Getting image source signatures
 Copying blob 79e7e9027772 done  
 Copying blob eed86eef5a46 done  
 Copying blob 1b553362680b done  
 Copying config deb373a625 done  
 Writing manifest to image destination
 Storing signatures
    Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs 
    available in user namespace (requested 0:42 for /etc/gshadow): 
    Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument 
    Error: Error committing the finished image: error adding layer with 
    blob "sha256:eed86eef5a4687135cb1ba7c55da6af79c9182e8bf59b53a880d1b334515c8e3": 
    Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs 
    available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid 
    and /etc/subgid: lchown /etc/gshadow: invalid argument

Which led us to believe that some further privilege is necessary (may be not root, but...). This has been confirmed by running the same command with sudo -- it works quite happily with the exception that the popdman Ubuntu image is runs as root on my PC. Not the happy outcome I expect.

Presently the /etc/subuid and /etc/subgid files on this machine only have entries for a few samba users and a wireshark user, as shown:

     /etc/subgid                     /etc/subgid
     
 tsmith:100000:65536             tsmith:100000:65536
 demo:165536:65536               demo:165536:65536
 smbguest:231072:65536           smbguest:231072:65536
 wireshark:296608:65536          wireshark:296608:65536

I don't realy have guidence at this point. I realise there's something I need to do with subuid-s and subgid-s for this example to work. So far I've had no luck finding some tip or documentaton as to what is needed. Except to not edit the files directly -- Fair enough.

Also in the above mentioned tutorial, is a non-sudo example looking at the subuid-s:

$ podman unshare cat /proc/self/uid_map
    0       1000          1
    1     100000      65536

I ask myself is that is user #1 just an example or did I miss a step? When I do the same thing on this PC, all I see is:

$ podman unshare cat /proc/self/uid_map
    0       1000          1

Without a user #1, only a user #0. What action do I take? The queston herer now is:

1. How to have the Ubuntu bash shell run rootless in the container?
   • Minimal changes just enough to see bash run rootless.

• Where do I start?
• What do I need to do?
• How do I do it?

Answer 1

I eventually got Ubuntu working with a rootless container by applying ALL the steps herewithin...

• Basic Setup and Use of Podman in a Rootless environment.

It almost was as if these were the same points as in the original article I used to begin with, so I can't really say which bit didn't get done right the first time. The steps in that post definitely do the job.

It is very important (imho) to confirm that your container is rootless. Sometimes you can still be running as root but think it is "working".

Answer 2

See this link on how to setup rootless access on Redhat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/building_running_and_managing_containers/starting-with-containers_building-running-and-managing-containers