Closed
Description
Issue Description
When I'm trying to run a rootless container with podman I receive this error:
Error: /usr/bin/slirp4netns failed: "open(\"/dev/net/tun\"): Permission denied\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\n"
The TUN and fuse module are correctly loaded as you can see here:
root@autoapi:~[root@autoapi ~]# lsmod | grep -e ^tun -e ^fuse
tun 4242 -2
fuse 4242 -2
root@autoapi:~[root@autoapi ~]# ls -la /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Sep 9 14:34 /dev/net/tun
root@autoapi:~[root@autoapi ~]# ls -la /dev/fuse
crw-rw-rw- 1 root root 10, 229 Sep 9 14:34 /dev/fuse
Steps to reproduce the issue
Steps to reproduce the issue
1.podman run hello-world
Describe the results you received
When I'm trying to run a rootless container I receive the error:
Error: /usr/bin/slirp4netns failed: "open(\"/dev/net/tun\"): Permission denied\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\n"
This issue doesn't reproduce when I try it using root:
[root@autoapi ~]# podman run hello-world
WARN[0000] Ignoring global metacopy option, not supported with booted kernel 4.18.0 #1 SMP Thu Dec 15 20:31:06 MSK 2022
!... Hello Podman World ...!
.--"--.
/ - - \
/ (O) (O) \
~~~| -=(,Y,)=- |
.---. /` \ |~~
~/ o o \~~~~.----. ~~
| =(X)= |~ / (O (O) \
~~~~~~~ ~| =(Y_)=- |
~~~~ ~~~| U |~~
Project: https://github.com/containers/podman
Website: https://podman.io
Documents: https://docs.podman.io
Twitter: @Podman_io
Describe the results you expected
I'm expecting this output when I'm run the container in rootless mode:
!... Hello Podman World ...!
.--"--.
/ - - \
/ (O) (O) \
~~~| -=(,Y,)=- |
.---. /` \ |~~
~/ o o \~~~~.----. ~~
| =(X)= |~ / (O (O) \
~~~~~~~ ~| =(Y_)=- |
~~~~ ~~~| U |~~
Project: https://github.com/containers/podman
Website: https://podman.io
Documents: https://docs.podman.io
Twitter: @Podman_io
podman info output
ag23724@autoapi:~$ podman --version
podman version 4.4.1
ag23724@autoapi:~$ podman info --debug
host:
arch: amd64
buildahVersion: 1.29.0
cgroupControllers: []
cgroupManager: cgroupfs
cgroupVersion: v1
conmon:
package: conmon-2.1.6-1.module_el8.8.0+3470+252b1910.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.6, commit: 21c43a36b2ccb9799dfab0e8428837fca920fb45'
cpuUtilization:
idlePercent: 94.82
systemPercent: 0.6
userPercent: 4.58
cpus: 6
distribution:
distribution: '"almalinux"'
version: "8.5"
eventLogger: file
hostname: autoapi.servereasy.it
idMappings:
gidmap:
- container_id: 0
host_id: 100
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 4.18.0
linkmode: dynamic
logDriver: k8s-file
memFree: 13225619456
memTotal: 17179869184
networkBackend: cni
ociRuntime:
name: runc
package: runc-1.1.4-1.module_el8.7.0+3407+95aa0ca9.x86_64
path: /usr/bin/runc
version: |-
runc version 1.1.4
spec: 1.0.2-dev
go: go1.18.9
libseccomp: 2.5.1
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_SYS_CHROOT,CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.0-2.module_el8.7.0+3407+95aa0ca9.x86_64
version: |-
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.4.0
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.1
swapFree: 268435456
swapTotal: 268435456
uptime: 0h 8m 14.00s
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.access.redhat.com
- registry.redhat.io
- docker.io
store:
configFile: /home/antonio/.config/containers/storage.conf
containerStore:
number: 9
paused: 0
running: 0
stopped: 9
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/antonio/.local/share/containers/storage
graphRootAllocated: 94983856128
graphRootUsed: 19813425152
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 5
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /home/antonio/.local/share/containers/storage/volumes
version:
APIVersion: 4.4.1
Built: 1688126783
BuiltTime: Fri Jun 30 14:06:23 2023
GitCommit: ""
GoVersion: go1.19.10
Os: linux
OsArch: linux/amd64
Version: 4.4.1
ag23724@autoapi:~$ rpm -q podman
podman-4.4.1-14.module_el8.8.0+3573+7ff2a686.x86_64Podman in a container
Yes
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
The Linux machine is a containerized one under OpenVZ.
Additional information
No response