securedrop icon indicating copy to clipboard operation
securedrop copied to clipboard
verified publisher icon freedomofpress

`USE_PODMAN=1 make dev` fails with error 2

Open deeplow opened this issue 1 year ago • 2 comments

Here's some truncated part of the output or USE_PODMAN=1 make dev

[...]

Exposed services will be available on localhost at
Source interface: http://127.0.0.1:8080
Journalist interface: http://127.0.0.1:8081
************************************************************
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
Unable to replace /dev/random
Starting to build Rust code
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.25s
Copying libredwood.so into package

[...]
Successfully installed redwood-0.1.0
WARNING: You are using pip version 21.1.1; however, version 24.1.2 is available.
You should consider upgrading via the '/opt/venvs/securedrop-app-code/bin/python3 -m pip install --upgrade pip' command.
███ Generating securedrop/config.py...

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
make: *** [Makefile:250: dev] Error 1

This happened to me on debian-12 standalone on Qubes. Then I installed make and podman and ran USE_PODMAN=1 make dev.

Please note that the suid complaint appears at various stages in the output and not just at the end.

Originally posted by @deeplow in https://github.com/freedomofpress/securedrop/issues/7163#issuecomment-2236251067

deeplow avatar Sep 25 '24 09:09 deeplow

Hitting the same issue on a Debian AppVM with Podman, at the same step as in the output above. @deeplow were you ever able to find a workaround

eloquence avatar Jul 28 '25 17:07 eloquence

The only way I was able to quickly get it to start up was to do two inadvisable things: 1) run it as root, 2) ditch the --userns=keep-id. Neither of these is a good idea. :)

If I interpret the output above and of findmnt correctly, the issue is that Qubes uses nosuid on /home. This suggests to me that rootless podman on Qubes might need its own volume to be happy. Curious what Kunal makes of this issue.

eloquence avatar Jul 28 '25 19:07 eloquence