newuidmap: open of uid_map failed: Permission denied

[EvgenyAfanasev]

Issue Description

When running rootless podman inside a container, I get the errors:

running `/usr/bin/newuidmap 16111 0 500 1 1 10000 65536`: newuidmap: open of uid_map failed: Permission denied 
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

Steps to reproduce the issue

Steps to reproduce the issue

1. /etc/subuid

evgenii:10000:65536

2. /etc/subgid

evgenii:10000:65536

3. podman --log-level trace info

INFO podman filtering at log level trace          
DEBUG Called info.PersistentPreRunE(podman --log-level trace info) 
DEBUG Using conmon: "/usr/bin/conmon"              
DEBUG Initializing boltdb state at /home/evgenii/.local/share/containers/storage/libpod/bolt_state.db 
DEBUG Using graph driver overlay                   
DEBUG Using graph root /home/evgenii/.local/share/containers/storage 
DEBUG Using run root /run/user/500/containers      
DEBUG Using static dir /home/evgenii/.local/share/containers/storage/libpod 
DEBUG Using tmp dir /run/user/500/libpod/tmp       
DEBUG Using volume path /home/evgenii/.local/share/containers/storage/volumes 
DEBUG Using transient store: false                 
DEBUG Not configuring container store              
DEBUG Initializing event backend journald          
DEBUG Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument 
DEBUG Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument 
DEBUG Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument 
DEBUG Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument 
TRACE found runtime "/usr/bin/crun"                
DEBUG Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument 
DEBUG Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument 
DEBUG Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument 
DEBUG Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument 
DEBUG Using OCI runtime "/usr/bin/crun"            
ERROR running `/usr/bin/newuidmap 16111 0 500 1 1 10000 65536`: newuidmap: open of uid_map failed: Permission denied 
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

4. I also tried running podman unshare cat /proc/self/uid_map, but with same result

Describe the results you received

podman --log-level trace info

INFO podman filtering at log level trace          
DEBUG Called info.PersistentPreRunE(podman --log-level trace info) 
DEBUG Using conmon: "/usr/bin/conmon"              
DEBUG Initializing boltdb state at /home/evgenii/.local/share/containers/storage/libpod/bolt_state.db 
DEBUG Using graph driver overlay                   
DEBUG Using graph root /home/evgenii/.local/share/containers/storage 
DEBUG Using run root /run/user/500/containers      
DEBUG Using static dir /home/evgenii/.local/share/containers/storage/libpod 
DEBUG Using tmp dir /run/user/500/libpod/tmp       
DEBUG Using volume path /home/evgenii/.local/share/containers/storage/volumes 
DEBUG Using transient store: false                 
DEBUG Not configuring container store              
DEBUG Initializing event backend journald          
DEBUG Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument 
DEBUG Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument 
DEBUG Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument 
DEBUG Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument 
TRACE found runtime "/usr/bin/crun"                
DEBUG Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument 
DEBUG Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument 
DEBUG Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument 
DEBUG Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument 
DEBUG Using OCI runtime "/usr/bin/crun"            
ERROR running `/usr/bin/newuidmap 16111 0 500 1 1 10000 65536`: newuidmap: open of uid_map failed: Permission denied 
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

Describe the results you expected

normal podman info

podman info output

podman version 4.7.1

Alt Linux x86_64

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[rhatdan]

How is the container you are running running? Have you checked SELinux yet?

[EvgenyAfanasev]

How is the container you are running running?

It is my workstation PC

Have you checked SELinux yet?

SELinux is not installed

[rhatdan]

We need the output of podman info.
We need the actual podman command you are executing the outside container with.

[EvgenyAfanasev]

We need the output of podman info.

sudo podman info

host:
  arch: amd64
  buildahVersion: 1.32.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.8-alt1.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: alt1'
  cpuUtilization:
    idlePercent: 99.44
    systemPercent: 0.24
    userPercent: 0.32
  cpus: 16
  databaseBackend: boltdb
  distribution:
    distribution: altlinux
    version: "10.2"
  eventLogger: journald
  freeLocks: 1996
  hostname: asrock-x470-r2700x
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.5.6-un-def-alt1
  linkmode: dynamic
  logDriver: journald
  memFree: 24327307264
  memTotal: 33564573696
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.8.0-alt1.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.8.0
    package: netavark-1.8.0-alt2.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.8.0
  ociRuntime:
    name: crun
    package: crun-1.9.2-alt1.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.9.2
      commit: 8e8e1ede095667bebe9d6f06d9cda8b6e047cca0
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-alt1.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.4
  swapFree: 68719472640
  swapTotal: 68719472640
  uptime: 2h 49m 50.00s (Approximately 0.08 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.altlinux.org
  - docker.io
  - quay.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 9
    paused: 0
    running: 0
    stopped: 9
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 180799668224
  graphRootUsed: 30186856448
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /tmp/.private/root
  imageStore:
    number: 7
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.7.1
  Built: 1696594085
  BuiltTime: Fri Oct  6 15:08:05 2023
  GitCommit: alt1
  GoVersion: go1.21.2
  Os: linux
  OsArch: linux/amd64
  Version: 4.7.1

We need the actual podman command you are executing the outside container with.

is it ? podman run hello

[rhatdan]

Is newuidmap and newgidmap setuid or setfcap?

$ getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/newgidmap cap_setgid=ep

[Luap99]

Moving to a discussion as this doe snot look like a podman bug and instead something with your environment

[616b2f]

have the same issue, when I try to use podman, the output is just slightly different (because of the version 4.7.2?):

ERRO[0000] running `/usr/bin/newuidmap 4574 0 1000 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": should have setuid or have filecaps setuid: exit status 1

$ sudo podman info
host:
  arch: amd64
  buildahVersion: 1.32.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.8-2.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: '
  cpuUtilization:
    idlePercent: 80.82
    systemPercent: 5.32
    userPercent: 13.86
  cpus: 4
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: silverblue
    version: "40"
  eventLogger: journald
  freeLocks: 2048
  hostname: castle
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.7.0-0.rc3.20231129git18d46e76d7c2.30.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 11850792960
  memTotal: 16663478272
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.9.0-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.9.0
    package: netavark-1.9.0-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.9.0
  ociRuntime:
    name: crun
    package: crun-1.12-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20231119.g4f1709d-1.fc40.x86_64
    version: |
      pasta 0^20231119.g4f1709d-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.2-1.fc40.x86_64
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 0h 4m 16.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 498556993536
  graphRootUsed: 37828894720
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.7.2
  Built: 1698762097
  BuiltTime: Tue Oct 31 15:21:37 2023
  GitCommit: ""
  GoVersion: go1.21.3
  Os: linux
  OsArch: linux/amd64
  Version: 4.7.2

I am running Fedora Silverblue rawhide:

$ rpm-ostree status
State: idle
Deployments:
● fedora:fedora/rawhide/x86_64/silverblue
                  Version: Rawhide.20231130.n.0 (2023-11-30T06:04:25Z)
               BaseCommit: d9e7bc68f8e53945dc71f52b8c6c6722ed3a893cb4c83e7c12a265821e76f45e
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC
          LayeredPackages: alacritty bemenu brightnessctl fd-find git-lfs grim j4-dmenu-desktop mako neovim network-manager-applet polkit-gnome ripgrep slurp sway swaylock tmux vifm waybar
                           wl-clipboard wlroots xdg-desktop-portal-wlr

this is the last version that works for me, if it helps somehow.

  fedora:fedora/rawhide/x86_64/silverblue
                  Version: Rawhide.20231116.n.0 (2023-11-16T06:02:02Z)
               BaseCommit: 5bfde4ec863d8bcbb5890cf4aba27d9bf92bec193f050e4da86b68a46ad61f13
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC
          LayeredPackages: alacritty bemenu brightnessctl fd-find git-lfs grim j4-dmenu-desktop libwebkit2gtk-4.0.so.37 mako neovim network-manager-applet polkit-gnome ripgrep slurp sway
                           swaylock tmux vifm waybar webkit2gtk4.0-devel wl-clipboard wlroots xdg-desktop-portal-wlr
                   Pinned: yes

$ getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap cap_setuid=ip
/usr/bin/newgidmap cap_setgid=ip

[Luap99]

$ getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap cap_setuid=ip
/usr/bin/newgidmap cap_setgid=ip

The caps should show ep not ip AFAIK. I am not sure why it is ip but it looks wrong.

[616b2f]

It seems like in the version that still works for me, it's also ep, I am not sure why it's changed, maybe I ask in the atomic community if they can have a look.

[xxxserxxx]

Same issue here. Differences:

• I'm running Arch
• Everything (rootless podman) was working fine
• I did a software update and started getting this exact same error.
• My setcap_* are both ep

Aside from having no idea how to fix this, the error message is utterly useless to me.

[vboufleur]

I'm also facing the same issue on Alma Linux 9. Does anyone knows what might be wrong and could please give us a hand?

I tried reinstalling shadow-utils, didn't work.

Also tried setting SELinux to permissive, didn't work.

The cmd that is failing

[root@apollo containers-stack]# sudo -u deploy podman info
ERRO[0000] running `/bin/newuidmap 41266 0 1001 1 1 165536 65536`: newuidmap: open of uid_map failed: Permission denied
Error: cannot set up namespace using "/bin/newuidmap": exit status 1

Capabilities

[root@apollo containers-stack]# getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/newgidmap cap_setgid=ep

My OS

[root@apollo containers-stack]# cat /etc/os-release
NAME="AlmaLinux"
VERSION="9.6 (Sage Margay)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.6"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.6 (Sage Margay)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.6"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.6"
SUPPORT_END=2032-06-01

subuid

[root@apollo containers-stack]# cat /etc/subuid
vboufleur:100000:65536
deploy:165536:65536

subgid

[root@apollo containers-stack]# cat /etc/subgid
vboufleur:100000:65536
deploy:165536:65536

[vboufleur]

For anyone interested, the solution to my problem were wrong permissions on the newgidmap and newuidmap files.

Managed to fix it with these commands:

# Podman might need this
dnf reinstall -y shadow-utils

# Allowing the files to be executed by all users
chmod 0755 /usr/bin/newuidmap /usr/bin/newgidmap

# Setting needed capacity
setcap cap_setuid+ep /usr/bin/newuidmap
setcap cap_setgid+ep /usr/bin/newgidmap

# Removing Setuid and Setgid bits
chmod -s /usr/bin/newuidmap
chmod -s /usr/bin/newgidmap

[JujiAd]

Chiming in with a duplicate issue in a RHEL8.8 container. I've tried all of the suggestions in this thread without success. For context, I am running Ubuntu and using Podman to create a RHEL container, which also needs to be provisioned with Podman.

Recreating the Issue
In my rootless RHEL8.8 container, when I run the command podman run hello I am met with the following error code.

ERRO[0000] running `/usr/bin/newuidmap 187 0 1000 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

This error code is consistent for all podman [cmd] invocations.

Container Host (Ubuntu)

e449797@US05CD241JH14:~/working/master-ansible/docker$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

Podman Info (Ubuntu)

e449797@US05CD241JH14:~/working/master-ansible/docker$ podman info
host:
  arch: amd64
  buildahVersion: 1.33.7
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.10+ds1-1build2_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: unknown'
  cpuUtilization:
    idlePercent: 99.79
    systemPercent: 0.12
    userPercent: 0.09
  cpus: 20
  databaseBackend: sqlite
  distribution:
    codename: noble
    distribution: ubuntu
    version: "24.04"
  eventLogger: journald
  freeLocks: 2023
  hostname: US05CD241JH14
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.6.87.2-microsoft-standard-WSL2
  linkmode: dynamic
  logDriver: journald
  memFree: 14007816192
  memTotal: 16346427392
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns_1.4.0-5_amd64
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.4.0
    package: netavark_1.4.0-4_amd64
    path: /usr/lib/podman/netavark
    version: netavark 1.4.0
  ociRuntime:
    name: crun
    package: crun_1.14.1-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.1
      commit: de537a7965bfbe9992e2cfae0baeb56a08128171
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt_0.0~git20240220.1e6f92b-1_amd64
    version: |
      pasta unknown version
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.1-1build2_amd64
    version: |-
      slirp4netns version 1.2.1
      commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 4294967296
  swapTotal: 4294967296
  uptime: 44h 17m 14.00s (Approximately 1.83 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/e449797/.config/containers/storage.conf
  containerStore:
    number: 25
    paused: 0
    running: 0
    stopped: 25
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/e449797/.local/share/containers/storage
  graphRootAllocated: 1081101176832
  graphRootUsed: 52915752960
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 75
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/e449797/.local/share/containers/storage/volumes
version:
  APIVersion: 4.9.3
  Built: 0
  BuiltTime: Wed Dec 31 16:00:00 1969
  GitCommit: ""
  GoVersion: go1.22.2
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.3

Container OS (RHEL)

[python@f30ed753680c ansible]$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.8 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.8 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.8
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.8"

Capabilities

[python@f30ed753680c ansible]$ getcap /usr/bin/newuidmap /usr/bin/newgidmap
/usr/bin/newuidmap cap_setuid=ep
/usr/bin/newgidmap cap_setgid=ep

subuid and subgid

[python@f30ed753680c ansible]$ cat /etc/subuid
python:100000:65536
[python@f30ed753680c ansible]$ cat /etc/subgid
python:100000:65536

Podman Info (RHEL)

[python@f30ed753680c ansible]$ sudo podman info
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user
host:
  arch: amd64
  buildahVersion: 1.33.12
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.module+el8.10.0+23250+94af2c8e.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: 46c335b05349f727977e48a55578f78804df914c'
  cpuUtilization:
    idlePercent: 99.79
    systemPercent: 0.12
    userPercent: 0.09
  cpus: 20
  databaseBackend: sqlite
  distribution:
    distribution: rhel
    version: "8.8"
  eventLogger: file
  freeLocks: 2048
  hostname: f30ed753680c
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.6.87.2-microsoft-standard-WSL2
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 13952540672
  memTotal: 16346427392
  networkBackend: cni
  networkBackendInfo:
    backend: cni
    dns:
      package: podman-plugins-4.9.4-20.module+el8.10.0+23250+94af2c8e.x86_64
      path: /usr/libexec/cni/dnsname
      version: |-
        CNI dnsname plugin
        version: 1.4.0-dev
        commit: unknown
        CNI protocol versions supported: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 1.0.0
    package: containernetworking-plugins-1.4.0-6.module+el8.10.0+23250+94af2c8e.x86_64
    path: /usr/libexec/cni
  ociRuntime:
    name: runc
    package: runc-1.1.12-6.module+el8.10.0+23250+94af2c8e.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.12
      spec: 1.2.0+dev
      go: go1.23.9 (Red Hat 1.23.9-1.module+el8.10.0+23162+9223a61a)
      libseccomp: 2.5.2
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /bin/slirp4netns
    package: slirp4netns-1.2.3-1.module+el8.10.0+23250+94af2c8e.x86_64
    version: |-
      slirp4netns version 1.2.3
      commit: c22fde291bb35b354e6ca44d13be181c76a0a432
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 4294967296
  swapTotal: 4294967296
  uptime: 45h 15m 35.00s (Approximately 1.88 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 1081101176832
  graphRootUsed: 52918312960
  graphStatus:
    Backing Filesystem: overlayfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.9.4-rhel
  Built: 1749668863
  BuiltTime: Wed Jun 11 19:07:43 2025
  GitCommit: ""
  GoVersion: go1.23.9 (Red Hat 1.23.9-1.module+el8.10.0+23162+9223a61a)
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.4-rhel