I am running podman version 5.4.0 on Rocky Linux 9.6. I notice that when a container is killed along with its 'conmon ' OCI runtime wrapper, say by issuing a kill -9, the podman ps command does not detect the dead container for a good 5 minutes+. In the intervening time, the command lists the container as being up even as other commands like podman stats , podman exec all fail pointing correctly to the container as being dead in the error message! $ podman ps -a | grep kafka 7fd65b99d2a0 localhost/****/cp-kafka:*.*.* /etc/confluent/do... 39 hours ago Up 37 hours 9092/tcp kafka $ podman exec -it 7fd65b99d2a0 bash Error: OCI runtime error: crun: the container 7fd65b99d2a06252078fc85d3c9832d4c1410e0d185bb9cde08c6641aca31334 is not running $ podman stats 7fd65b99d2a0 Error: cannot get cgroup path unless container 7fd65b99d2a06252078fc85d3c9832d4c1410e0d185bb9cde08c6641aca31334 is running: container is stopped I understand the parent runtime monitor is also killed but i am not sure if that justifies reporting an incorrect status in the podman ps command. Is that the expected behavior? Can this be tweaked in some way to be more responsive?

today to my surprise I have noticed that I may delete a file that was created by a user with UID 100024 while being logged to my normal user (UID 1000) shell. The UID 100024 is a subuid, it is how the user inside the rootless podman container looks in top processes, also in ls -l output. The cat /etc/subuid out is myuser:100000:65536, same for the subgid. The sudo sysctl kernel.unprivileged_userns_clone out is kernel.unprivileged_userns_clone = 1 the getfacl /the/file shows

user::rw-
group::r--
other::r--

The grep CONFIG_USER_NS /boot/config-$(uname -r) out is CONFIG_USER_NS=y. To even a bigger surprise, I was able to edit a file created by UID 1000 user in the volume mapped folder, from inside the container! The file had 644 permissions and was owned by nobody:nogroup. I'm pretty sure I could not do these operations in the past. Anything has happened to my 6.1.0-32-amd64 Debian? The filesystem is xfs. ls -hal for the directory returns:

drwxrwxr-x+ 12 pod_yt      root        4.0K Jul 19 17:09 name_of_the_dir

and the getfacl for the dir returns

user::rwx user:myuser:rwx 
user:name_of_the_user_for_uid_100024:rwx 
group::r-x mask::rwx other::r-x

We are using podman's containers for the project. The issue, we have is what while working on different branches of the project we need slightly different containers. So each git branch has its own container building script. But the images for these containers are not under git's control. So after each git switch we need to rebuild containers, which can take a few minutes each time. Is there a way to *conveniently* put podman's images under git's control? Is there a how-to for this somewhere in podman's documentation? How is it solved (if it is solved) in other container systems?

This is a remote machine with SSH access and systemd. I basically have this error when I try to run systemd user commands:

$ systemctl --user status
Failed to connect to bus: $DBUS_SESSION_BUS_ADDRESS and $XDG_RUNTIME_DIR not defined (consider using --machine=@.host --user to connect to bus of other user)

While [other answers suggest to just set or "fake" the requested variables](https://askubuntu.com/a/1121053/606016) IMHO, this is not a proper solution. The problem is basically that I logged in as a one user (I use as a system admin) [and I did switch the user via su](https://unix.stackexchange.com/a/615964/146739) . As such, it's very much understandable systemd does not have a clue what user I'm running here… So I understand it is confused. Note while for systemd services [maybe using the system bus](https://unix.stackexchange.com/a/616636/146739) is maybe the better idea altogether. However, for experimenting with podman and especially podman generate systemd also wants a user-level session, maybe just having a _lingering_ user (loginctl enable-linger) is a useful way. ---- Now the actual question: **How can I switch to the other user, so that systemd really knows that this user is now logged in?** I just want to "operate" as a different user (in a new shell). Just as if I would use su. Note that I do not want to SSH into the server as another user. That requires additional SSH keys and other stuff that is just not necessary. I want to switch my user while being logged in (as a user that can run sudo, i.e. system admin). ## Tries I've sudo machinectl login, but that is: * inconvenient, as I need to type the username again in there (I cannot do sudo machinectl login my-user. * a problem, as my user is a system user just for podman and I don't have a password set – so I cannot login with a password I've found machinectl shell, which sounds exactly what I want to do, but I cannot get it to work. I've tried machinectl shell my-user and machinectl shell my-user@localhost, but it always just tells me: > Failed to get shell PTY: No machine 'localhost' known Well… note that it also shows me I have no "machines" (whatever these are? Is not localhost one?):

$ machinectl list
No machines.

# Prerequisites Alpine Linux Edge

~ $ podman --version
podman version 5.5.2
~ $ distrobox --version
distrobox: 1.8.1.2
~ $ mount|grep ^cgroup|awk '{print $1}'|uniq
cgroup2

I followed the steps in Alpine Wiki for setting up distrobox and podman for rootless usage. # What is happening The block bellow is the primary issue I'm running into.

~ $ distrobox create --name debox --image debian:latest
Creating 'debox' using image debian:latest	[ OK ]
Distrobox 'debox' successfully created.
To enter, run:

distrobox enter debox

~ $ distrobox enter debox
Error: unable to start container "409500222cb9ecfb488522e1d0a13046e68408fcb62a9dcfb52ae88bda0816c0": runc: runc create failed: unable to start container process: unable to apply cgroup configuration: rootless needs no limits + no cgrouppath when no permission is granted for cgroups: mkdir /sys/fs/cgroup/409500222cb9ecfb488522e1d0a13046e68408fcb62a9dcfb52ae88bda0816c0: permission denied: OCI permission denied

I've attempted to create the folder distrobox tries to create and give my user complete permissions to use it to no avail. The same error occurs. Launching this container with just podman will output the same error. Meanwhile, starting similar container with podman seamingly works.

~ $ distrobox rm debox
# output omitted
~ $ podman create --name debox -i debian:latest
62f2044c8bb7e86b4a78bd48e7f0c66c1071924a3bc65c0d49519ca399753d9c
~ $ podman start debox
debox

As indicated by podman stats the container is up and running:

ID            NAME        CPU %       MEM USAGE / LIMIT  MEM %       NET IO      BLOCK IO           PIDS        CPU TIME         AVG CPU %
62f2044c8bb7  debox       23.49%      0B / 7.182GB       0.00%       0B / 796B   2.876GB / 1.516GB  0           1h22m26.154492s  6227.30%

It starts with showing impossibly high CPU percentage hence, the high average CPU use. Probably, irrelevant to issue. After attaching to container there is no prompt. Detaching to exit via ctrl+p, ctrl+q is impossible. Attempting to stop container will force podman to resort to SIGKILL. Container will not appear in podman ps afterwords (it did before) but, still can be launched but, the same as above will repeat:

~ $ podman stop debox
WARN StopSignal SIGTERM failed to stop container debox in 10 seconds, resorting to SIGKILL 
debox
~ $ podman ps
CONTAINER ID  IMAGE       COMMAND     CREATED     STATUS      PORTS       NAMES
~ $ podman start debox
debox

# What I want Just distrobox enter debox and use container as intended.

When I run podman run I'm getting a particularly weird error,

❯ podman run -ti --restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher:latest
✔ docker.io/rancher/rancher:latest
Trying to pull docker.io/rancher/rancher:latest...
Getting image source signatures
[... blob copying...]
Writing manifest to image destination
Storing signatures
  Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 630384594:600260513 for /usr/bin/etcdctl): Check /etc/subuid and /etc/subgid: lchown /usr/bin/etcdctl: invalid argument
Error: Error committing the finished image: error adding layer with blob "sha256:b4b03dbaa949daab471f94bcfd68cbe21c1147e8ec2acfe3f46f1520db48baeb": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 630384594:600260513 for /usr/bin/etcdctl): Check /etc/subuid and /etc/subgid: lchown /usr/bin/etcdctl: invalid argument

What does _"potentially insufficient UIDs or GIDs available in user namespace"_ mean and how can I remedy this problem?

Dockerfile documentation states that the `` argument of COPY and ADD are relative to the context (location of Dockerfile). If I have third party dependencies located in /usr/local or /opt/ it seems that I am forced to use relative paths in my dockerfile unless I want to copy and paste those third party libraries multiple times for each container project that utilizes them. For this reason, I have started to install or unpackage all third-party software to live one level above where I store my all my various project's application code (i.e. instead of /usr/local) I'm wondering if anyone has a different solution for building container images that doesn't involve copying and pasting, hard coding relative paths, or installing libraries in non-standard locations. **Edit** Using relative paths is entirely not allowed it seems. If your third-party dependencies live above your dockerfile, i.e. COPY ../third-party/some-lib/ /opt/ you get the error: possible escaping context directory error... ... no such file or directory So, I really have to copy my third party libraries however many times I want to use them in separate projects.

I am getting an error: Error: cannot listen on the TCP port: listen tcp4 :53: bind: address already in use When creating a container that gets his own IP address, this means that regardless of if there is some host program listening at port 53 the container should have no problems listening in the same port because his IP is not the same as the Host. The command I am using to start the container is the following: sudo podman run -d --network podnet -p 53:53 --name test-container test-image And inspecting the network podnet with sudo podman inspect podnet give the following:

[
     {
          "name": "podnet",
          "id": "",
          "driver": "macvlan",
          "network_interface": "bridge0",
          "created": "",
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": false,
          "options": {
               "mode": "passthru"
          },
          "ipam_options": {
               "driver": "dhcp"
          }
     }
]

I am in a OpenSUSE Leap Micro machine.

I am trying to run a systemd-enabled container using Podman, specifically with a Rocky Linux base image. While I have seen multiple references to Podman supporting systemd, I haven't been able to set it up successfully. Here are the steps I've tried so far: 1. Pulled the rockylinux:latest image. 2. Installed systemd inside the container

yum install -y systemd systemd-libs
mkdir -p /var/log/journal
exit

3. Committed the container to a new image using:

podman commit rocky-systemd rocky-systemd:latest

4. Started the container and systemctl prints 'degraded' status!

I am running a RHEL 9.0 compatible OS in my homelab, along with podman version 4.0.2 and podman-compose version 1.0.3. If you need any other information please let me know! I'm trying to transition from using docker containers to rootless podman containers. To that end, I've brought over a pretty simple set of services that will run on a freshly installed docker setup on nearly any *nix OS I've tried. Simple right? Nope First, I had to provide full pathing to my container images, can just refer to them as they appear in the docker library. That wasn't so bad. My compose file declares a bridged network, and each service attaches to that network. Any other computer on the network can reach any service whose ports are exposed from the container. Ports 8080, 8443, 3306, are all reachable from my laptop. The problem lies in the inability for containers to communicate with each other. With docker networks, the containers could resolve one another using just the container name as the host name. I've installed ping on each of my containers and am finding that they can all ping themselves when referring to their own container name, but are unable to ping other container. That really puts a damper on my plans for rootless container. In my compose file, I'm declaring the network first:

version: 3.1

networks:
  neta:
    driver: bridge

Each service declares a container name and attaches to that network, example:

container_name: httpd
    networks:
      - neta
...
    container_name: mariadb
    networks:
      - neta

I didn't post my full compose file, because I believe this issue isn't specific to my file, but rather with rootless nature of podman. My issue is that httpd container can't reach mariadb, nor the other way around. I'm less that 24 hours into my podman journey, really, less than 4 hours. I just assumed that container networking would be something that would "just work" and am now mistaken. Any input, links or advice would be appreciated. Thanks

I have a physical network with several VLANs. One of my computers (my main workstation) is connected to two different VLANs on this network, one tagged, the other not. I have successfully set this computer up on both VLANs by making a VLAN clone interface, but I discovered that in order to actually receive packets on that interface I had to change the MAC. It seems that the Linux network stack (or maybe the acceleration on the card) looks at the MAC and if it matches, ignores the VLAN tag. I now want to attach this interface to a bridge somehow and then also have containers attach to this same bridge. I know enough about how containers are constructed that I can do this by hand after whatever container system I'm using (podman in this case) sets the container up. The reason I want this is that I'm working on an IPv6 broadcast/multicast protocol that will only work for a local LAN, and in order to test it, I want to have several copies of the servent running in different containers so they can communicate with each other. I've tried this in the obvious way, but none of the packets that are explicitly destined for one of the containers ever makes it to them. I suspect this is because the card or the Linux network stack is just dropping them at the physical interface when their destination MAC doesn't match any of the MACs assigned to the interface. What would be a good way to accomplish this? Should I ask this on Server Fault or Stack Overflow instead?

I am trying to remove a podman container, but it fails and leave podman in a weird state where I have to manually kill all podman processes I have tried

podman rm 02e2ac89ad65

and I am getting the following error

02e2ac89ad651a9b72b354beb63b787bce49dafc6b5133430685ca570b13edce on network hpc-services-net 
ERRO IPAM error: failed to find ip for subnet 10.89.1.0/24 on network hpc-services-net

I have also tried podman system reset and it gets stucked trying to remove the mentioned container. How should I remove the container?

I installed Podman Desktop app v. 1.18.1 on macOS Sequoia. If I execute:

podman compose version

… I get this on the console: > \>>>> Executing external compose provider "/usr/local/bin/docker-compose". Please see podman-compose(1) for how to disable this message. >Docker Compose version v2.36.0 I am guessing that Podman is using an implementation of *Docker Compose* rather than its own implementation. (Does Podman even have its own implementation of the *Compose* spec ?) That message seems to suggest I should call a command podman-compose. But there is no such command. Running this:

which podman-compose

… results in : >podman-compose not found Obviously there is a podman compose command+subcommand. I used that above for version. But the message says podman-compose with a hyphen, a command that does not seem to exist. So how do I disable that message?

Does there is any possibility to have this combination? Podman container with: - Alpine Linux - Wayland - xRDP with multiuser support - any window compositor I have found there are some limitation of multiuser support in Gnome-remote-desktop. Should I use xRDP with xwayland as only way? Does there has been anyone successful with Wayland over RDP (ideally without X interconnection)? Thanks for advice.

I installed a fresh new version of *Podman Desktop* app version 1.18.0 on macOS Sequoia . After launching *Podman Desktop* app, I get a floating notification window that says: >Docker socket is not disguised correctly > >The Docker socket (/var/run/docker.sock) is not being properly disguised by Podman. This could potentially cause docker-compatible tools to fail. Please disable any conflicting tools and re-enable Docker Compatibility. A search on both Google and Ecosia for this message comes up empty. Am I the only user in the universe suffering this error? 👉🏽 And what is this error? And how to fix? I have no idea how to properly disguise a socket. I have no legacy Docker work to bring to this Podman. So do I care about Docker compatibility?

The *Podman Desktop* installer also installs *Podman* . Along the way of that process, a macOS notification says that the "Red Hat, Inc." item of software is installed to run automatically as an item in the "Allow in the Background" panel of Settings > General > Login Items & Extensions. I understand Red Hat company is the principal behind Podman. But what exactly is that piece of software with their name? And why does it do while running in the background?

When setting up a Podman machine in Podman Desktop app, one of the features is "Machine with root privileges". I am inclined to disable that because I am using Podman for safety, to insulate contained software isolated away from my host Mac. The documentation says nothing helpful: >Machine with root privileges: Enable to use the rootful connection by default. Required to use Kind on Windows. If I disable "Machine with root privileges", what will I be giving up?

I have rootless Podman container (system: Alpine Linux) in Podman (master system: Alpine Linux). Container is able to work with xRDP (and sesman) so I am able to connect to it via local user (if defined). I would like to authorize user even if no account already defined on container system. I would like to write custom PAM module with checking external service data via OAuth2 or REST API requests. Unfortunately I am not able to get password user typed in xRDP login form. My current questions: - I have a plan to prepare sh script for this operation. Does it is possible in general? - I would like to keep xRDP login form so I don't have an access to web browser at time of login so external service cannot be activated before login form. I believe I can work with REST API of service also (but need token or user name - password pair). - Do I have any chance to get password from xrdp login dialog or really not due to PAM architecture? - Does PAM module is the only way here in Linux how to authorize+authenticate users for Alpine Linux (or in general for any Linux)? Thanks for help.

I have now bumped into this problem several times - some podman containers get stuck in the stopping state, but I'm not sure how to tackle the problem.

[grant@patches patches]$ podman ps -a
CONTAINER ID  IMAGE                               COMMAND               CREATED         STATUS         PORTS                                     NAMES
434645aa71eb  docker.io/library/postgres:15.3     postgres              40 minutes ago  Stopping                                                 patches-psql

no amount of force killing seems to stop the process. Ex:

[grant@patches patches]$ podman kill patches-psql
2023-08-11T19:17:28.307348Z: open pidfd: No such process
Error: container state improper: stopped
[grant@patches patches]$ podman ps -a
CONTAINER ID  IMAGE                               COMMAND               CREATED         STATUS         PORTS                                     NAMES
434645aa71eb  docker.io/library/postgres:15.3     postgres              52 minutes ago  Stopping                                                 patches-psql

I can remove the container with rm -f but I haven't found a way to force it to stop and then restart it.

I am trying to implement a program that would run as PID1 in a Podman container and would wait for the the user to podman exec into the container at least once before exiting. /sys/fs/cgroup/pids.peak inside the container seems to expose this info, but how do I query it efficiently? man 7 cgroup has the following to say: > The cgroup.events file can be monitored, in order to receive notification when the value of one of its keys changes. Such monitoring can be done using inotify(7), which notifies changes as IN_MODIFY events, or poll(2), which notifies changes by returning the POLLPRI and POLLERR bits in the revents field. However, the cgroup.events isn't suitable for my purposes because my PID1 prevents the container cgroup from ever being empty and thus the file never changes. I've tried running inotifywait -m /sys/fs/cgroup/pids.peak to rule out bugs in my code but even then IN_MODIFY events are never triggered.