Bug#970352: unprivileged podman dies with gibberish
Control: close -1 Control: tag -1 unreproducible Hi Harald, On Sun, Sep 20, 2020 at 11:32 AM Reinhard Tartler wrote: > Control: tag -1 upstream > > On Sun, Sep 20, 2020 at 9:28 AM Harald Dunkel wrote: > >> I think there is a misunderstanding: The problem is not the error, >> but the error *message*. Can you do without complaining about bad >> HTTP code and URLs that don't work? Surely they don't give a hint >> about what is wrong. They are just distracting. >> >> > That was not clear to me from the initial description. In any case, I > think the most efficient way to resolve this is to ask upstream. May I ask > you to file an upstream report at > https://github.com/containers/podman/issues/new ? I could do so on your > behalf, but it'd be more efficient if you could do so yourself. > > Let me know how you prefer to proceed. > > I've read the 'gibberish' again, and have to ask for clarification. It seems to be this report is actually about two The "gibberish" is not what is causing podman to "die". The relevant part of the output probably is this: ApplyLayer exit status 1 stdout: stderr: there might not be enough IDs available in the namespace (requested 0:42 for /etc/gshadow): lchown /etc/gshadow: invalid argument I would have hoped that the instruction in README.Debian would have helped, but you indicated that you are using a custom, non-Debian kernel, so there is no way for me to reproduce this crash. I have to ask you to try again with a Debian kernel and report this issue to upstream. The other issue in your report happens when you instruct podman to fetch an image without fully qualifying what registry to get the image from. In this case, podman will search several registries as configured in /etc/containers/registries.conf. The Debian package configures "quay.io" and "docker.io" in that order. The image you specified is not available on quay.io, but on docker.io, and this causes some warnings that might be considered confusing. I'm not sure what kind of formatting or behavior would be more helpful to both users and developers that have to triage user errors. As package maintainer, I don't think I can support you well with either of these issues. I'd strongly encourage you to discuss both upstream at https://github.com/containers/podman/issues/new. Let me know the bug numbers, I'm happy to repoen this report with appropriate linking to the upstream bug. -- regards, Reinhard
Bug#970352: unprivileged podman dies with gibberish
Control: tag -1 upstream On Sun, Sep 20, 2020 at 9:28 AM Harald Dunkel wrote: > I think there is a misunderstanding: The problem is not the error, > but the error *message*. Can you do without complaining about bad > HTTP code and URLs that don't work? Surely they don't give a hint > about what is wrong. They are just distracting. > > That was not clear to me from the initial description. In any case, I think the most efficient way to resolve this is to ask upstream. May I ask you to file an upstream report at https://github.com/containers/podman/issues/new ? I could do so on your behalf, but it'd be more efficient if you could do so yourself. Let me know how you prefer to proceed. -- regards, Reinhard
Bug#970352: unprivileged podman dies with gibberish
On 9/15/20 5:05 PM, Reinhard Tartler wrote: I think this is the relevant error message. May I ask a couple of questions: 1. Did this work with an earlier verison of podman, i.e., is this a regression? What version worked for you before? No, I didn't try an earlier version of podman. I just found out that there is a native podman available. 2. Does the problem go away after a reboot? No. 3. Does the command 'unshare -nr id' work for you? Yes: % unshare -nr id uid=0(root) gid=0(root) groups=0(root),65534(nogroup) % id -a uid=1000(harri) gid=1000(harri) groups=1000(harri),4(adm),6(disk),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),44(video),46(plugdev),50(staff),107(haldaemon),108(powerdev),111(mythtv),112(netdev),119(kvm),123(wireshark),124(fuse),136(sbuild),999(docker) And no, docker is not installed. It was. 4. Did you read the file /usr/share/doc/podman/README.Debian, in particular the parts "User Namespaces" and "Troubleshooting rootless mode"? I did, but they are no help. I don't run a Debian kernel, i.e. there is no sysctl kernel.unprivileged_userns_clone to be set. CONFIG_USER_NS is enabled. And AFAIR it is common practice to define default subuid and subgid ranges as a fallback (at least for Docker). I think there is a misunderstanding: The problem is not the error, but the error *message*. Can you do without complaining about bad HTTP code and URLs that don't work? Surely they don't give a hint about what is wrong. They are just distracting. Thanx very much Harri
Bug#970352: unprivileged podman dies with gibberish
Control: tag -1 moreinfo Hi Harald, On Tue, Sep 15, 2020 at 1:51 AM Harald Dunkel wrote: > Package: podman > Version: 2.0.6+dfsg1-1 > > Unprivileged podman dies with some gibberish instead of a readable > error message: > > % podman run -it debian /bin/bash > Trying to pull quay.io/debian... >error parsing HTTP 404 response body: invalid character '<' looking for > beginning of value: " Final//EN\">\n404 Not Found\nNot Found\nThe > requested URL was not found on the server. If you entered the URL manually > please check > your spelling and try again.\n" > Trying to pull docker.io/library/debian... > Getting image source signatures > Copying blob 57df1a1f1ad8 done > Copying config f6dcff9b59 done > Writing manifest to image destination > Storing signatures > ERRO[0010] Error while applying layer: ApplyLayer exit status 1 stdout: > stderr: there might not be enough IDs available in the namespace (requested > 0:42 for /etc/gshadow): lchown /etc/gshadow: invalid argument >ApplyLayer exit status 1 stdout: stderr: there might not be enough IDs > available in the namespace (requested 0:42 for /etc/gshadow): lchown > /etc/gshadow: invalid argument > I think this is the relevant error message. May I ask a couple of questions: 1. Did this work with an earlier verison of podman, i.e., is this a regression? What version worked for you before? 2. Does the problem go away after a reboot? 3. Does the command 'unshare -nr id' work for you? 4. Did you read the file /usr/share/doc/podman/README.Debian, in particular the parts "User Namespaces" and "Troubleshooting rootless mode"? Best, -rt -- regards, Reinhard
Bug#970352: unprivileged podman dies with gibberish
Package: podman Version: 2.0.6+dfsg1-1 Unprivileged podman dies with some gibberish instead of a readable error message: % podman run -it debian /bin/bash Trying to pull quay.io/debian... error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "\n404 Not Found\nNot Found\nThe requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.\n" Trying to pull docker.io/library/debian... Getting image source signatures Copying blob 57df1a1f1ad8 done Copying config f6dcff9b59 done Writing manifest to image destination Storing signatures ERRO[0010] Error while applying layer: ApplyLayer exit status 1 stdout: stderr: there might not be enough IDs available in the namespace (requested 0:42 for /etc/gshadow): lchown /etc/gshadow: invalid argument ApplyLayer exit status 1 stdout: stderr: there might not be enough IDs available in the namespace (requested 0:42 for /etc/gshadow): lchown /etc/gshadow: invalid argument Error: unable to pull debian: 2 errors occurred: * Error initializing source docker://quay.io/debian:latest: Error reading manifest latest in quay.io/debian: error parsing HTTP 404 response body: invalid character '<' looking for beginning of value: "\n404 Not Found\nNot Found\nThe requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.\n" * Error committing the finished image: error adding layer with blob "sha256:57df1a1f1ad841deaf50c8f662d77e93b4b17af776ed66148116607f9aceffa8": ApplyLayer exit status 1 stdout: stderr: there might not be enough IDs available in the namespace (requested 0:42 for /etc/gshadow): lchown /etc/gshadow: invalid argument Regards Harri