diff --git a/templates/podman/README.md b/templates/podman/README.md index 4e28d24..52a61c6 100644 --- a/templates/podman/README.md +++ b/templates/podman/README.md @@ -46,6 +46,10 @@ usermod --del-subuids 0-4294967295 --del-subgids 0-4294967295 rootless # Set a specific range, so it fits inside the number of available UIDs usermod --add-subuids 65536-131071 --add-subgids 65536-131071 rootless +# Add the required capabilities to the `newuidmap` and `newgidmap` binaries +setcap cap_setuid+eip /usr/bin/newuidmap +setcap cap_setgid+eip /usr/bin/newgidmap + # Check the assigned range cat /etc/subuid # Check the available range @@ -120,4 +124,7 @@ Resources mentioning `add_key keyctl bpf` Resources mentioning `@keyring` - https://github.com/systemd/systemd/issues/17606 - https://github.com/systemd/systemd/blob/1c62c4fe0b54fb419b875cb2bae82a261518a745/src/shared/seccomp-util.c#L604 -`@keyring` also includes `request_key` but doesn't include `bpf` \ No newline at end of file +`@keyring` also includes `request_key` but doesn't include `bpf` +Resources mentioning `cap_setuid+eip`, `cap_setgid+eip`, `newuidmap` and `newgidmap` +- https://github.com/containers/podman/issues/2788#issuecomment-1016301663 +- https://github.com/containers/podman/issues/12637#issuecomment-996524341 \ No newline at end of file diff --git a/templates/podman/config b/templates/podman/config index e613779..b19106d 100644 --- a/templates/podman/config +++ b/templates/podman/config @@ -31,11 +31,6 @@ release=39 initial_setup=#!/usr/bin/bash set -euo pipefail dnf -y install podman - # Add the required capabilities to the `newuidmap` and `newgidmap` binaries - # https://github.com/containers/podman/issues/2788#issuecomment-1016301663 - # https://github.com/containers/podman/issues/12637#issuecomment-996524341 - setcap cap_setuid+eip /usr/bin/newuidmap - setcap cap_setgid+eip /usr/bin/newgidmap # You generally will not need to change the options below systemd_run_default_args=--property=KillMode=mixed