permission denied when running podman container

[jorgeadrian93]

Summary

I started an empty workspace and ran podman run quay.io/podman/hello

Trying to pull quay.io/podman/hello:latest...
Getting image source signatures
Copying blob b195d8055f37 done  
Copying config 1c1f781955 done  
Writing manifest to image destination
WARN[0001] failed to set net.ipv6.conf.default.accept_dad sysctl: open /proc/sys/net/ipv6/conf/default/accept_dad: read-only file system 
ERRO[0002] Unmounting partially created network namespace for container 78b0b05bd41c434aa0221404b706f23a9c1bd9e069dbf64e8dbfc071366b253e: failed to unmount NS: at /tmp/podman-run-1000720000/netns/netns-b69250cc-f7d4-3372-e51a-6240dc9220b8: permission denied 
ERRO[0002] Preparing container 78b0b05bd41c434aa0221404b706f23a9c1bd9e069dbf64e8dbfc071366b253e: /usr/bin/slirp4netns failed: "open(\"/dev/net/tun\"): No such file or directory\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\nchild failed(1)\nWARNING: Support for seccomp is experimental\nWARNING: Support for IPv6 is experimental\n" 
Error: unmounting storage for container 78b0b05bd41c434aa0221404b706f23a9c1bd9e069dbf64e8dbfc071366b253e after network create failure: unmounting container 78b0b05bd41c434aa0221404b706f23a9c1bd9e069dbf64e8dbfc071366b253e: unmounting container 78b0b05bd41c434aa0221404b706f23a9c1bd9e069dbf64e8dbfc071366b253e SHM mount /home/user/.local/share/containers/storage/vfs-containers/78b0b05bd41c434aa0221404b706f23a9c1bd9e069dbf64e8dbfc071366b253e/userdata/shm: permission denied

In the documentation I see a Warning related to NFS: "OpenShift Dev Spaces does not support the Network File System (NFS) protocol."

Is this error related to NFS storage?
I assume an empty workspace has no persistent volumes attached (ephemeral) and I was wondering if there is a workaround to run podman containers in this case.

Relevant information

Looking at the FileSystem

Filesystem                      Size  Used Avail Use% Mounted on
overlay                         200G  162G   38G  82% /

~ $ ls -la /home/user/.local/share/containers/storage/vfs-containers/
total 8
drwx------. 3 user root 124 Feb  6 18:30 .
drwx------. 7 user root 128 Feb  6 18:29 ..
drwx------. 3 user root  22 Feb  6 18:30 78b0b05bd41c434aa0221404b706f23a9c1bd9e069dbf64e8dbfc071366b253e
-rw-------. 1 user root 529 Feb  6 18:30 containers.json
-rw-r--r--. 1 user root  64 Feb  6 18:30 containers.lock

$ cat /home/user/.config/containers/storage.conf 
[storage]
driver = "vfs"

[dkwon17]

Hi @jorgeadrian93 this is not supported out of the box at the moment, related issue: containers/podman#17988

For OpenShift, there is a blog post by @cgruver that demonstrates podman run after making some changes to the cluster with MachineConfig: https://upstreamwithoutapaddle.com/blog%20post/2023/08/10/Podman-In-Dev-Spaces-With-Fuse-Overlay.html#demo-of-almost-working-podman-run-in-dev-spaces

[jorgeadrian93]

@dkwon17 Thank you for your quick response. I'll take a look at the blog post 😄

[dkwon17]

Hi @jorgeadrian93 sorry, I should mention podman run is supported in Kubernetes/OpenShift but it's by using kubedock, see #20227 (comment).

To quickly test it out, you can:

1. Start an empty workspace:
   

2. Run the following to add the necessary environment variable to enable kubedock:

kubectl patch dw <devworkspace-name> --type='json' -p='[{"op": "add", "path": "/spec/template/components/0/container/env", "value": [{"name": "KUBEDOCK_ENABLED", "value": "true"}]}]' -n <namespace>

3. Restart the workspace (it should restart automatically if the workspace was already running when the patch was applied)
4. Run a podman run command in the terminal: