podman in podman without privileged not work

Question

podman in podman without privileged not work

Closed this issue 2 years ago · 2 comments

calvin2021y commented 2 years ago

run the code as non-root user:

podman run -it --rm --cap-add=sys_admin,mknod --device=/dev/fuse --security-opt label=disable mgoltzsche/podman:latest podman run alpine ip a
Error: failed to set the loopback adapter up: operation not permitted

podman/stable work fine.

podman run -it --rm --cap-add=sys_admin,mknod --device=/dev/fuse --security-opt label=disable quay.io/podman/stable podman run alpine ip a
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:8a49fdb3b6a5ff2bd8ec6a86c05b2922a0f7454579ecc07637e94dfd1d0639b6
Copying config sha256:5e2b554c1c45d22c9d1aa836828828e320a26011b76c08631ac896cbc3625e3e
Writing manifest to image destination
Storing signatures
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 86:fb:8c:82:d2:26 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fd00::84fb:8cff:fe82:d226/64 scope global dynamic flags 100 
       valid_lft 86399sec preferred_lft 14399sec
    inet6 fe80::84fb:8cff:fe82:d226/64 scope link 
       valid_lft forever preferred_lft forever

Answer 1 · 2023-05-17T13:02:32.000Z

find out the problem is not use host network by default.

Answer 2 · 2023-05-17T13:05:56.000Z

reopen again, host network still not work.

podman run -it --rm --cap-add=sys_admin,mknod --device=/dev/fuse --security-opt label=disable mgoltzsche/podman:latest podman run  --network=host alpine ip a
✔ docker.io/library/alpine:latest
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 8a49fdb3b6a5 done  
Copying config 5e2b554c1c done  
Writing manifest to image destination
Storing signatures
WARN[0003] Failed to add conmon to cgroupfs sandbox cgroup: creating cgroup path /libpod_parent/conmon: open /sys/fs/cgroup/cgroup.subtree_control: read-only file system 
Error: OCI runtime error: runc: runc create failed: unable to start container process: unable to apply cgroup configuration: mkdir /sys/fs/cgroup/libpod_parent: read-only file system