Uploaded image for project: 'Container Tools'
  1. Container Tools
  2. RUN-2773

[containers/podman] Invalid error message printed when combining --hostuser and --user with group specified

XMLWordPrintable

    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • rhel-container-tools

      [2974578255] Upstream Reporter: fice-t
      Upstream issue status: Closed
      Upstream description:

      Issue Description

      An invalid error message is printed when using --hostuser <USER> --user <USER>:<GROUP> in some circumstances.

      Steps to reproduce the issue

      • Case A: USER=$(id -un); podman run --hostuser $USER --user $USER:$USER alpine
      • Case B: USER=$(id -un); podman run --hostuser $USER --user $USER:$(id -u) alpine

      Describe the results you received

      • Case A: Error: unable to find user <USER>: no matching entries in passwd file
      • Case B: Error: unable to find user <USER>: no matching entries in passwd file

      Describe the results you expected

      • Case A: Proper error message printed: Error: unable to find group <GROUP>: no matching entries in group file It would be even better if this actually worked, and the documentation for --group-entry seems to suggest it should (it mentions --user adding to /etc/group, which does not occur for me). However, it appears these options may change in the future (#18903)?
      • Case B: I don't see a reason why this shouldn't be valid. Is it not conceptually the same as just using --hostuser $USER --user $USER?

      podman info output

      host:   arch: amd64
  buildahVersion: 1.39.0
  cgroupControllers:   - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:     package: conmon-2.1.12-2.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:     idlePercent: 98.99
    systemPercent: 0.26
    userPercent: 0.75
  cpus: 16
  databaseBackend: sqlite
  distribution:     distribution: fedora
    variant: kde
    version: "40"
  eventLogger: journald
  freeLocks: 1994
  hostname: auraboros
  idMappings:     gidmap:     - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:     - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.13.9-100.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 7711801344
  memTotal: 16483213312
  networkBackend: netavark
  networkBackendInfo:     backend: netavark
    dns:       package: aardvark-dns-1.14.0-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.14.0
    package: netavark-1.14.1-1.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.14.1
  ociRuntime:     name: crun
    package: crun-1.20-2.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.20
      commit: 9c9a76ac11994701dd666c4f0b869ceffb599a66
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:     executable: /usr/bin/pasta
    package: passt-0^20250217.ga1e48a0-2.fc40.x86_64
    version: ""
  remoteSocket:     exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:     apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:     executable: ""
    package: ""
    version: ""
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 5h 0m 4.00s (Approximately 0.21 days)
  variant: ""
plugins:   authorization: null
  log:   - k8s-file
  - none
  - passthrough
  - journald
  network:   - bridge
  - macvlan
  - ipvlan
  volume:   - local
registries:   search:   - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:   configFile: /home/alex/.config/containers/storage.conf
  containerStore:     number: 54
    paused: 0
    running: 2
    stopped: 52
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/alex/.local/share/containers/storage
  graphRootAllocated: 321048805376
  graphRootUsed: 8791478272
  graphStatus:     Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:     number: 23
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/alex/.local/share/containers/storage/volumes
version:   APIVersion: 5.4.0
  BuildOrigin: Fedora Project
  Built: 1739232000
  BuiltTime: Mon Feb 10 18:00:00 2025
  GitCommit: ""
  GoVersion: go1.22.11
  Os: linux
  OsArch: linux/amd64
  Version: 5.4.0

      Podman in a container

      No

      Privileged Or Rootless

      None

      Upstream Latest Release

      Yes

      Additional environment details

      No response

      Additional information

      The error messages come from this vendor package, which is shared by Docker. I tried to reproduce in Docker as close as possible (user present in /etc/passwd, but group missing in /etc/group), and the expected error messages were displayed. Unfortunately it does not have an equivalent for --hostuser for testing purposes.


      Upstream URL: https://github.com/containers/podman/issues/25805

              Unassigned Unassigned
              upstream-sync Upstream Sync
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: