0

On a relatively fresh and simple CoreOS system, trying to run the following command:

podman run --rm docker.io/curlimages/curl -v host.containers.internal:2040

Results in the following error:

{"msg":"exec container process `/entrypoint.sh`: Permission denied","level":"error","time":"2024-11-22T22:12:56.046889Z"}

To which I am at a complete loss. I've tried the following:

  • sudo setenforce 0 to disable SELinux temporarily, which did not change the error received.

  • Added the --userns=keep-id flag to the command, which also didn't change the results.

EG:

podman run --userns=keep-id --rm docker.io/curlimages/curl -v host.containers.internal:2040
  • For other more complex podman containers, I tried setting the :z flag for volume mounts to no avail.

There must be something I'm doing wrong on my system. The only abnormal part of my system is that I have podman and docker both installed on the same machine for compatibility reasons but my understanding is that this shouldn't be a conflict.

Improve this question
3
  • Extra information: For some reason, creating a new user works as expected. Perhaps there's a user configuration error? Commented Nov 22, 2024 at 23:39
  • Can you update the question to include a reproducible configuration? Just booting an instance of fedora-coreos-stable (or -next), starting a container that publishes a service on port 2040, and then running your curlimages/curl example works without any errors. Commented Nov 23, 2024 at 1:52
  • You can find my successful test here Commented Nov 23, 2024 at 2:08

1 Answer 1

Reset to default
0

Found the answer myself with some debugging.

Basically, there was a facl flag of some sort that was interfering with the permissions of newly created images which was resulting in some strange behaviour.

I was able to fix this by nuking my ~/.local/share/containers and starting fresh, while also making sure that all extended facl permissions were cleared by using setfacl -bR ~/.local. I think this was set erroneously by a user, but I would probably argue that user level facls probably shouldn't interfere with podman rootless behaviour.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.