Hi Reinhard,
I was intending to open a bug report after contacting you earlier but someone appears to have beaten me to it! I'm still able to reproduce this on my end with the following. --------------------------------------------------------------- root@podman:~# podman run docker.io/alpine /bin/echo "Hello" Hello root@podman:~# adduser --uid 1010 bugtest --gecos "" --no-create-home --disabled-login --disabled-password Adding user `bugtest' ... Adding new group `bugtest' (1010) ... Adding new user `bugtest' (1010) with group `bugtest' ... Not creating home directory `/home/bugtest'. root@podman:~# podman run --user 1010 docker.io/alpine /bin/echo "Hello" Error: container_linux.go:370: starting container process caused: apply caps: operation not permitted: OCI runtime permission denied error --------------------------------------------------------------- This is a fresh image I've pulled and still occurs when running as the user 'nobody' as per your example. I've also tried the steps taken in your example (with an additional step to run the container) and managed to reproduce the error. ----------------------------- root@podman:~# cat Dockerfile FROM docker.io/debian USER nobody RUN id root@podman:~# podman rm -a root@podman:~# podman build -f Dockerfile STEP 1: FROM docker.io/debian Getting image source signatures Copying blob 6c33745f49b4 done Copying config 6d6b00c222 done Writing manifest to image destination Storing signatures STEP 2: USER nobody --> de292136a39 STEP 3: RUN id uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) STEP 4: COMMIT --> b08e47fc955 b08e47fc955ccfe7a3c164e9fbd2068758ee145e39ffcc1a5c95d4a53ad4144d root@podman:~# podman run b08e47fc955ccfe7a3c164e9fbd2068758ee145e39ffcc1a5c95d4a53ad4144d /bin/echo "Hello" Error: container_linux.go:370: starting container process caused: apply caps: operation not permitted: OCI runtime permission denied error ----------------------------- While I don't think it's relevant, I've had this issue with both a VM on Linode (which I've upgraded from Debian 10 to bullseye) and on a local VM which was created directly from a "testing" iso. ------------------------------------------ root@podman:~# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux bullseye/sid" NAME="Debian GNU/Linux" ID=debian HOME_URL="https://www.debian.org/"; SUPPORT_URL="https://www.debian.org/support"; BUG_REPORT_URL="https://bugs.debian.org/"; ------------------------------------------ As mentioned, this appears to have been discussed in the issue https://github.com/containers/podman/issues/7747 on Github. If you need any more information from my end, please let me know. Thanks for your help with this. Regards, Adam.
