[macos] podman build fails with potentially insufficient UIDs or GIDs available in user namespace

[gregorsoll]

I installed latest podman on macos 11.5.2 (20G95)
each build fails with
potentially insufficient UIDs or GIDs available in user namespace....

Steps to reproduce the issue:

1. brew install podman

2. podman build .

   Dockerfile:
   from alpine
   WORKDIR /app

Describe the results you received:
Error: potentially insufficient UIDs or GIDs available in user namespace (requested 60593705:1664186505 for /var/tmp/libpod_builder763932776/build/Dockerfile): Check /etc/subuid and /etc/subgid: lchown /var/tmp/libpod_builder763932776/build/Dockerfile: invalid argument

Describe the results you expected:

Output of rpm -q buildah or apt list buildah:

(paste your output here)

Output of buildah version:

(paste your output here)

Output of podman version if reporting a podman build issue:
podman version
Client:
Version: 3.3.1
API Version: 3.3.1
Go Version: go1.17
Built: Mon Aug 30 21:15:26 2021
OS/Arch: darwin/amd64

Server:
Version: 3.3.0
API Version: 3.3.0
Go Version: go1.16.6
Built: Fri Aug 20 21:36:14 2021
OS/Arch: linux/amd64

(paste your output here)

Output of cat /etc/*release:

(paste your output here)

Output of uname -a:
Darwin CLDV1007.local 20.6.0 Darwin Kernel Version 20.6.0: Wed Jun 23 00:26:31 PDT 2021; root:xnu-7195.141.2~5/RELEASE_X86_64 x86_64

(paste your output here)

Output of cat /etc/containers/storage.conf:

(paste your output here)

[flouthoc]

Could you please share contents of cat /etc/subuid and cat /etc/subgid i think it has very small range.

[gregorsoll]

cat /etc/subuid
core:110000:1700000000

cat /etc/subgid
core:110000:1700000000

I've tested with several settings .. but no luck

[flouthoc]

Sorry since this is podman-remote we need to check mappings via podman info

[flouthoc]

Could you paste output of podman info also i think this issue should be tracked in podman repo not on buildah repo but not a big issue

[flouthoc]

You need to check values of /etc/subuid and /etc/subbgid inside the remote , you can use podman machine ssh to access remote machine.

[scholarsmate]

I'm having the same problem as the original poster on macOS Big Sur v11.5.2.

sudo podman build -t ctcoss/fapolicy-analyzer -f Dockerfile ../..
Error: potentially insufficient UIDs or GIDs available in user namespace (requested 52991795:1294707396 for /var/tmp/libpod_builder044472422/build/.dockerignore): Check /etc/subuid and /etc/subgid: lchown /var/tmp/libpod_builder044472422/build/.dockerignore: invalid argument

% podman info

host:
  arch: amd64
  buildahVersion: 1.22.3
  cgroupControllers: []
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.29-2.fc34.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: '
  cpus: 1
  distribution:
    distribution: fedora
    version: "34"
  eventLogger: journald
  hostname: localhost
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.13.13-200.fc34.x86_64
  linkmode: dynamic
  memFree: 1620008960
  memTotal: 2061852672
  ociRuntime:
    name: crun
    package: crun-1.0-1.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.0
      commit: 139dc6971e2f1d931af520188763e984d6cdfbf8
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.12-2.fc34.x86_64
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 0
  swapTotal: 0
  uptime: 9m 38.36s
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /run/user/1000/containers
  volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
  APIVersion: 3.3.1
  Built: 1630356396
  BuiltTime: Mon Aug 30 20:46:36 2021
  GitCommit: ""
  GoVersion: go1.16.6
  OsArch: linux/amd64
  Version: 3.3.1

% podman machine ssh

Connecting to vm podman-machine-default. To close connection, use `~.` or `exit`
Warning: Permanently added '[localhost]:51342' (ECDSA) to the list of known hosts.
Fedora CoreOS 34.20210904.1.0
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/c/server/coreos/

[core@localhost ~]$ cat /etc/subuid
core:100000:65536
[core@localhost ~]$ cat /etc/subgid
core:100000:65536
[core@localhost ~]$

Hope it helps.

[nalind]

@gregorso, on your MacOS host, can you run id? I'm guessing that 60593705:1664186505 will be your UID and primary GID.

If that's the case, then nTar probably needs to force the UID and GID in the tar headers that it generates to both be 0. The ADD and COPY instructions are already documented as creating everything owned by 0:0, so the information we'd be throwing away would already have been discarded later.

[scholarsmate]

 % id
uid=52991795(scholarsmate) gid=1294707396(XXX\Domain Users) ...

[gregorsoll]

podman info
host:
arch: amd64
buildahVersion: 1.22.3
cgroupControllers: []
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.0.29-2.fc34.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.29, commit: '
cpus: 1
distribution:
distribution: fedora
version: "34"
eventLogger: journald
hostname: localhost
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.13.12-200.fc34.x86_64
linkmode: dynamic
memFree: 1624592384
memTotal: 2061852672
ociRuntime:
name: crun
package: crun-0.21-1.fc34.x86_64
path: /usr/bin/crun
version: |-
crun version 0.21
commit: c4c3cdf2ce408ed44a9e027c618473e6485c635b
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.1.9-1.fc34.x86_64
version: |-
slirp4netns version 1.1.8+dev
commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876
libslirp: 4.4.0
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.0
swapFree: 0
swapTotal: 0
uptime: 12.25s
registries:
search:

• registry.fedoraproject.org
• registry.access.redhat.com
• docker.io
• quay.io
  store:
  configFile: /var/home/core/.config/containers/storage.conf
  containerStore:
  number: 1
  paused: 0
  running: 0
  stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/core/.local/share/containers/storage
  graphStatus:
  Backing Filesystem: xfs
  Native Overlay Diff: "true"
  Supports d_type: "true"
  Using metacopy: "false"
  imageStore:
  number: 5
  runRoot: /run/user/1000/containers
  volumePath: /var/home/core/.local/share/containers/storage/volumes
  version:
  APIVersion: 3.3.0
  Built: 1629488174
  BuiltTime: Fri Aug 20 19:36:14 2021
  GitCommit: ""
  GoVersion: go1.16.6
  OsArch: linux/amd64
  Version: 3.3.0

[gregorsoll]

id -a
uid=60593705(me) gid=1664186505

[nalind]

@gregorso, @scholarsmate thanks! That matches what I thought was going on. #11473 should fix this, then.