The `podman run` command does not work when a devfile is configured with a parent devfile

[tolusha]

Describe the bug

The podman run command does not work when a devfile is configured with a parent devfile

$ podman run  <...>
ERRO[0000] running `/usr/bin/newuidmap 473 0 1000 1 1 10000 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

Che version

next (development version)

Steps to reproduce

1. Deploy Eclipse Che
2. Enable container run capabilities
3. Start a workspace from a devfile which has a parent

Expected behavior

Command runs successfully

Runtime

OpenShift

Screenshots

No response

Installation method

OperatorHub

Environment

Linux

Eclipse Che Logs

Additional context

devfile:

schemaVersion: 2.3.0
metadata:
  name: udi-parent-uri-sample
  displayName: Sample Devfile Using UDI Parent (Raw URI)
  description: Devfile that inherits from the Universal Developer Image using a raw devfile registry URI
  projectType: generic
  language: generic

parent:
  uri: https://registry.devfile.io/devfiles/udi/1.0.0

commands:
  - id: build
    exec:
      label: Build project
      component: tools
      commandLine: echo "Building project using UDI parent from raw URI..."
      group:
        kind: build
        isDefault: true

  - id: run
    exec:
      label: Run project
      component: tools
      commandLine: echo "Running project using UDI parent from raw URI..."
      group:
        kind: run
        isDefault: true

[cgruver]

@tolusha @ibuziuk I don't think that this is a good reproducer. The image being used in the parent devfile is not compatible with nested containers in Dev Spaces 3.25. Thus, the error is expected.

Create a workspace from https://github.com/cgruver/devfile-parent-test

Run podman run -d --rm --name webserver -p 8080:80 quay.io/libpod/banner

It should succeed.

[cgruver]

The Containerfile for the image in the parent devfile is here - https://github.com/cgruver/ocp-4-20-nested-containers/tree/main/workspace-image

[ibuziuk]

The image being used in the parent devfile is not compatible with nested containers in Dev Spaces 3.25

@cgruver, parent is using quay.io/devfile/universal-developer-image:ubi9-latest, which should be supported, right? https://registry.devfile.io/devfiles/udi/1.0.0

[cgruver]

@ibuziuk Based on my experiment, the UDI image is not creating the correct user entries for /etc/subuid and /etc/subgid.

It might have something to do with removing RW from /etc/passwd?

For nested container support, we really need to add the correct user info into the image at build time, not run time. Since the SCC dictates the UID that the container runs as inside its user namespace, this is now possible.

It might mean that we can't have a UDI that supports container run and legacy container build... Unless we make hostUsers: false a required setting...

[cgruver]

@ibuziuk The logic here looks correct - https://github.com/devfile/developer-images/blob/main/base/ubi9/entrypoint.sh

So, I don't know what is really going on, unless it is not properly detecting hostUsers:false