root run podman get: 'Failed to obtain podman configuration: runroot must be set'

[NemoTR]

Issue Description

I am using podman 5.3.2 on ubuntu 24.04, I installed podman using homebrew with user A.
I modified /etc/containers/registries.conf and this worked for user A but not for B.
Recently, I tried to run podman as user ROOT, and I gained:

root:~# podman
podman configuration: runroot must be set

This means I cannot do anything with podman as user ROOT.
I followed this instruction, modified /etc/containers/storage.conf:

[storage]
runroot = "/run/containers/storage"

but this didn't work.

Finally I tried to modify the /home/linuxbrew/.linuxbrew/etc/containers/storage.conf and this finally worked.
I then used podman system reset and then deleted all the config files, I found that I can use podman as user ROOT now.

I have some questions:

1. How does podman treat these two system-wide (?) configuration directory (/home/linuxbrew/.linuxbrew/etc/containers/ and /etc/containers/)?
2. Why /etc/containers/registries.conf works for user A but /etc/containers/storage.conf does not work for user ROOT?
3. Running podman as user ROOT seems need not the config files to be set, however it acctually need for the fresh podman installation with homebrew.

I think this maybe some sort of bug.

Steps to reproduce the issue

Steps to reproduce the issue

1. ubuntu 24 + homebrew install podman
2. su -l root
3. podman

Describe the results you received

# podman
Failed to obtain podman configuration: runroot must be set

Describe the results you expected

% podman
Manage pods, containers and images

Usage:
  podman [options] [command]

Available Commands:
  attach      Attach to a running container
  auto-update Auto update containers according to their auto-update policy
  build       Build an image using instructions from Containerfiles
  commit      Create new image based on the changed container
  compose     Run compose workloads via an external provider such as docker-compose or podman-compose
  container   Manage containers
  cp          Copy files/folders between a container and the local filesystem
  create      Create but do not start a container
  diff        Display the changes to the object's file system
  events      Show podman system events
  exec        Run a process in a running container
  export      Export container's filesystem contents as a tar archive
  farm        Farm out builds to remote machines
  generate    Generate structured data based on containers, pods or volumes
  healthcheck Manage health checks on containers
  help        Help about any command
  history     Show history of a specified image
  image       Manage images
  images      List images in local storage
  import      Import a tarball to create a filesystem image
  info        Display podman system information
  init        Initialize one or more containers
  inspect     Display the configuration of object denoted by ID
  kill        Kill one or more running containers with a specific signal
  kube        Play containers, pods or volumes from a structured file
  load        Load image(s) from a tar archive
  login       Log in to a container registry
  logout      Log out of a container registry
  logs        Fetch the logs of one or more containers
  machine     Manage a virtual machine
  manifest    Manipulate manifest lists and image indexes
  mount       Mount a working container's root filesystem
  network     Manage networks
  pause       Pause all the processes in one or more containers
  pod         Manage pods
  port        List port mappings or a specific mapping for the container
  ps          List containers
  pull        Pull an image from a registry
  push        Push an image to a specified destination
  rename      Rename an existing container
  restart     Restart one or more containers
  rm          Remove one or more containers
  rmi         Remove one or more images from local storage
  run         Run a command in a new container
  save        Save image(s) to an archive
  search      Search registry for image
  secret      Manage secrets
  start       Start one or more containers
  stats       Display a live stream of container resource usage statistics
  stop        Stop one or more containers
  system      Manage podman
  tag         Add an additional name to a local image
  top         Display the running processes of a container
  unmount     Unmount working container's root filesystem
  unpause     Unpause the processes in one or more containers
  unshare     Run a command in a modified user namespace
  untag       Remove a name from a local image
  update      Update an existing container
  version     Display the Podman version information
  volume      Manage volumes
  wait        Block on one or more containers

Options:
      --cgroup-manager string       Cgroup manager to use ("cgroupfs"|"systemd") (default "cgroupfs")
      --config string               Location of authentication config file
      --conmon string               Path of the conmon binary
  -c, --connection string           Connection to use for remote Podman service (CONTAINER_CONNECTION)
      --events-backend string       Events backend to use ("file"|"journald"|"none") (default "file")
      --help                        Help for podman
      --hooks-dir stringArray       Set the OCI hooks directory path (may be set multiple times) (default [/usr/share/containers/oci/hooks.d])
      --identity string             path to SSH identity file, (CONTAINER_SSHKEY)
      --imagestore string           Path to the 'image store', different from 'graph root', use this to split storing the image into a separate 'image store', see 'man containers-storage.conf' for details
      --log-level string            Log messages above specified level (trace, debug, info, warn, warning, error, fatal, panic) (default "warn")
      --module stringArray          Load the containers.conf(5) module
      --network-cmd-path string     Path to the command for configuring the network
      --network-config-dir string   Path of the configuration directory for networks
      --out string                  Send output (stdout) from podman to a file
  -r, --remote                      Access remote Podman service
      --root string                 Path to the graph root directory where images, containers, etc. are stored
      --runroot string              Path to the 'run directory' where all state information is stored
      --runtime string              Path to the OCI-compatible binary used to run containers. (default "crun")
      --runtime-flag stringArray    add global flags for the container runtime
      --ssh string                  define the ssh mode (default "golang")
      --storage-driver string       Select which storage driver is used to manage storage of images and containers
      --storage-opt stringArray     Used to pass an option to the storage driver
      --syslog                      Output logging information to syslog as well as the console (default false)
      --tmpdir string               Path to the tmp directory for libpod state content.

                                    Note: use the environment variable 'TMPDIR' to change the temporary storage location for container images, '/var/tmp'.
                                     (default "/tmp/storage-run-1000/libpod/tmp")
      --transient-store             Enable transient container storage
      --url string                  URL to access Podman service (CONTAINER_HOST) (default "unix:///tmp/storage-run-1000/podman/podman.sock")
  -v, --version                     version for podman
      --volumepath string           Path to the volume directory in which volume data is stored
Error: missing command 'podman COMMAND'

podman info output

❯ podman restart Nemo
Error: pasta failed with exit code 1:
Failed to bind port 6420 (Address already in use) for option '-t 6420-6420:22-22', exiting

❯ podman restart Nemo
Nemo
❯ podman info
host:
  arch: amd64
  buildahVersion: 1.38.1
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon_2.1.10+ds1-1build2_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: unknown'
  cpuUtilization:
    idlePercent: 99.68
    systemPercent: 0.14
    userPercent: 0.18
  cpus: 32
  databaseBackend: sqlite
  distribution:
    codename: noble
    distribution: ubuntu
    version: "24.04"
  eventLogger: journald
  freeLocks: 2047
  hostname: sev-host
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1003
      size: 1
    - container_id: 1
      host_id: 296608
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1003
      size: 1
    - container_id: 1
      host_id: 296608
      size: 65536
  kernel: 6.8.0-52-generic
  linkmode: dynamic
  logDriver: journald
  memFree: 213867421696
  memTotal: 236234706944
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
      path: /home/linuxbrew/.linuxbrew/opt/podman/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: Unknown
    path: /home/linuxbrew/.linuxbrew/opt/podman/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: Unknown
    path: /home/linuxbrew/.linuxbrew/bin/crun
    version: |-
      crun version 1.20
      commit: 9c9a76ac11994701dd666c4f0b869ceffb599a66
      rundir: /run/user/1003/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: /home/linuxbrew/.linuxbrew/bin/pasta
    package: Unknown
    version: |
      pasta 2025_01_21.4f2c8e7
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1003/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /home/linuxbrew/.linuxbrew/bin/slirp4netns
    package: Unknown
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.9.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.6.0
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 3h 58m 8.00s (Approximately 0.12 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/nemo/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/nemo/.local/share/containers/storage
  graphRootAllocated: 1966736678912
  graphRootUsed: 846260113408
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 28
  runRoot: /run/user/1003/containers
  transientStore: false
  volumePath: /home/nemo/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.2
  Built: 1737484894
  BuiltTime: Wed Jan 22 02:41:34 2025
  GitCommit: 85043bb1a3818102194afa82845cb63841067c9c-dirty
  GoVersion: go1.23.5
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

/home/linuxbrew/.linuxbrew/etc/containers/storage.conf

This is not a path upstream ever uses so something that is patched by homebrew so I suggest you open an issue with them and ask them on how they handle the config files.