containers
unshare() EPERM
the documentation suggests that skopeo does not require privileges, but I am unable to make it work with my rootless podman installation,
hanwen@hanwen-flow:~/vc/containers/skopeo$ ./bin/skopeo copy containers-storage:bla oci:/tmp/dest
Error during unshare(...): Operation not permitted
hanwen@hanwen-flow:~/vc/containers/skopeo$ uname -a
Linux hanwen-flow 6.8.0-55-generic #57-Ubuntu SMP PREEMPT_DYNAMIC Wed Feb 12 23:42:21 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
hanwen@hanwen-flow:~/vc/containers/skopeo$ git rev-parse HEAD
ecdf380b0c1790d2d9436cbbeacf8fe7bd569940
Thanks for your report!
Uses of containers-storage: should require similar privileges to Podman itself. Are you running Skopeo inside a Podman container, or do you mean that rootless Podman works and Skopeo, in the same environment, doesn’t?
Cc: @giuseppe
Podman container, or do you mean that rootless Podman works and Skopeo, in the same environment, doesn’t?
rootless podman works, skopeo doesn't
hanwen@hanwen-flow:~/vc/containers/skopeo$ podman run fedora:41 bash -c 'whoami'
root
hanwen@hanwen-flow:~/vc/containers/skopeo$ ./bin/skopeo copy containers-storage:foo oci:/tmp/x
Error during unshare(...): Operation not permitted
hanwen@hanwen-flow:~/vc/containers/skopeo$ /usr/bin/skopeo copy containers-storage:foo oci:/tmp/x
Error during unshare(...): Operation not permitted
This is on ubuntu 24.
is Ubuntu blocking user namespaces? The same command you've provided, works fine for me on Fedora
Thanks for your reply! userns'es are enabled, but there is an apparmor somethingsomething that also needs to be satisfied,
$ sudo sysctl -a|grep user.*ns
fs.inotify.max_user_instances = 128
kernel.apparmor_restrict_unprivileged_userns = 1
kernel.apparmor_restrict_unprivileged_userns_complain = 0
kernel.apparmor_restrict_unprivileged_userns_force = 0
kernel.unprivileged_userns_apparmor_policy = 1
kernel.unprivileged_userns_clone = 1
user.max_inotify_instances = 128
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 did the trick.