0

I know Incus runs rootless containers, so this is a bit superfluous, but I'm trying to run rootless Podman containers from inside an Incus system container and I've hit an issue. I get this error when I try podman run as non-root:

cannot clone: Permission denied
Error: cannot re-exec process

If I run podman info with debug, I get:

podman info --log-level=DEBUG 
...
DEBU[0000] Using OCI runtime "/usr/bin/crun"            
DEBU[0000] systemd-logind: Unknown object '/'.          
DEBU[0000] Invalid systemd user session for current user 
cannot clone: Permission denied
Error: cannot re-exec process
DEBU[0000] Shutting down engines

So it seems to be an issue relating to a systemd session. From what I can see, my user does have a session:

$ env | grep XDG
XDG_SESSION_TYPE=tty
XDG_SESSION_CLASS=user
XDG_SESSION_ID=c8
XDG_RUNTIME_DIR=/run/user/1000

$ sudo loginctl
SESSION  UID USER   SEAT TTY   STATE  IDLE SINCE
     c2 1000 ubuntu -    pts/1 active no   - 
1 sessions listed.

My versions are:

  • Incus host OS version: Ubuntu 24.04.2 LTS
  • Incus version: 6.12
  • Incus Ubuntu system container version: ubuntu/24.04/cloud (24.04.2 LTS)
  • Podman version: 4.9.3

The steps to reproduce are:
1) Create Incus system container and enable security.nesting for running continaers inside of system containers (as per Incus docs)

$ incus init images:ubuntu/24.04/cloud scratcher -d eth0,ipv4.address=172.30.10.13

$ incus config set scratcher security.nesting true


$ incus start scratcher

2) Exec to the Incus system container with a login session

$ incus exec scratcher -- sudo --login --user ubuntu

$ sudo apt update && sudo apt upgrade -y

3) Install and configure Podman as per the Podman docs

$ sudo apt install podman -y 
$ sudo usermod --add-subuids 165536-231072 --add-subgids 165536-231072 ubuntu

4) Run a rootful container - it works

$ sudo podman run --rm docker.io/hello-world | head -n3

Hello from Docker!
This message shows that your installation appears to be working correctly.

5) Run a rootless container - it fails

$ podman run --rm docker.io/hello-world
cannot clone: Permission denied
Error: cannot re-exec process

Please, I'd really like to know what is causing the issue, and if there is a solution?

cjt
  • 163

1 Answers1

0

OP have you tried asking what/why the error on the Incus User Forum? I know the devs do Q&A every day maybe 1 of them can give you a hint as to cause? – bmullan Commented 25 secs ago

bmullan
  • 784