Fix newuidmap...`: newuidmap: open of uid_map failed: Permission denied

Within a container, caps need to be set on /usr/bin/new{uid,gid}map
which reflect the (inner) podman user's root namespaced ID of 10000.

Signed-off-by: Chris Evich <chris_gitlab@icuc.me>

Containerfile

@@ -57,6 +57,7 @@ RUN for rpm in ${EXCLUDE_PACKAGES}; do x+="--exclude=$rpm "; done && \
     $DNFCMD update && \
     $DNFCMD install $x $RUNNER_RPM_URL && \
     $DNFCMD upgrade && \
+    $DNFCMD reinstall shadow-utils && \
     if [[ "${DNFCMD}" == "${_DNFCMD}" ]]; then \
       dnf clean all && \
       rm -rf /var/cache/dnf; \
@@ -97,13 +98,15 @@ RUN sed -i -r \
     chown -R podman:podman /home/podman && \
     chmod u+s /usr/bin/new{uid,gid}map && \
     rm -f /home/podman/.bash* && \
-    echo DOCKER_HOST="unix:///tmp/podman-run-1000/podman/podman.sock" > /etc/profile.d/podman.sh
+    echo DOCKER_HOST="unix:///tmp/podman-run-1000/podman/podman.sock" > /etc/profile.d/podman.sh && \
+    echo "podman:10000:10000" | tee /etc/subuid > /etc/subgid && \
+    setcap -n 10000 cap_setuid+ep /usr/bin/newuidmap && \
+    setcap -n 10000 cap_setuid+ep /usr/bin/newgidmap
 
 # Runtime rootless-mode configuration
 USER podman
-VOLUME ["/home/podman/.local/share/containers/storage/",\
+# N/B: Volumes are cumulative with the base image
-        "/home/podman/.gitlab-runner/", \
+VOLUME ["/home/podman/.gitlab-runner/", "/cache"]
-        "/cache"]
 WORKDIR /home/podman
 ENTRYPOINT ["/usr/local/bin/gitlab-runner-wrapper"]
 
@@ -142,10 +145,13 @@ ENV CLEAN_INTERVAL="$CLEAN_INTERVAL" \
     DOCKER_PRIVILEGED="$PRIVILEGED_RUNNER"
 
 # Not a real build-arg.  Simply here to save lots of typing.
-ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers/storage --volume pipglr-config:/home/podman/.gitlab-runner -v pipglr-podman-cache:/cache -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
+ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers --volume pipglr-config:/home/podman/.gitlab-runner -v pipglr-podman-cache:/cache --tmpfs /var/lib/containers,ro,size=1k -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
 
 # These labels simply make it easier to register and execute the runner.
 # Define them last so they are absent should a image-build failure occur.
 LABEL register="podman run -it --rm $_pm --secret REGISTRATION_TOKEN,type=env \$IMAGE register"
 # Note: Privileged mode is required to permit building container images with inner-podman
 LABEL run="podman run -d --privileged --name pipglr $_pm \$IMAGE run"
+
+# In case it's helpful, include the documentation
+ADD /README.md /home/podman/

README.md

@@ -27,27 +27,28 @@ lacks this feature, Several labels are set on the image to support
 easy registration and execution of a runner container using a special
 bash command.  See the examples below for more information.
 
-#### [Volume Ownership Bug](https://github.com/containers/podman/issues/16576)
+#### [Volume setup]
 
-Some versions of podman contain a bug where named local volumes aren't owned
+Since podman inside the container runs as user `podman`, the volumes
-by the namespaced user within a rootless container (i.e. the 'podman' user).
+used by it need to be pre-created with ownership information.  While,
-Since the `podman` user/group inside the `pipglr` container is known, it's
+we're at it, might as well add the performance-improving `noatime`,
-possible to manually setup ownership ahead of time. This should be be done
+option as well.
-once, prior to registering your runners:
 
 ```bash
-$ for VOLUME in pipglr-podman-root pipglr-config pipglr-podman-cache; do \
+$ VOLOPTS="o=uid=1000,gid=1000,noatime"; \
-    PUPVM="podman unshare podman volume mount $VOLUME"
+  for VOLUME in pipglr-podman-root pipglr-config pipglr-podman-cache; do \
-    podman volume create $VOLUME && \
+    podman volume create --opt $VOLOPTS $VOLUME || true ; \
-    podman unshare chown 1000:1000 $($PUPVM) && \
+    VOLPTH=$(podman unshare podman volume mount $VOLUME)
-    podman unshare chmod 02770 $($PUPVM) && \
+    podman unshare chown -c -R 1000:1000 $VOLPTH && \
-    podman unshare ls -land $($PUPVM) ; \
+    podman unshare chmod -c 02770 $VOLPTH && \
+    podman unshare podman volume unmount $VOLUME ; \
   done
 ```
 
 If you get `podman system service` startup permission-denied errors, or
 errors from gitlab-runner, unable to connect to the podman socket, this is
-likely the cause.  You can fix it after-the-fact using the same commands as above, just add a `-R` option to the `chown`/`chmod`, and additionally target `./*`.
+likely the cause.  You can fix it after-the-fact using the same commands
+above.
 
 #### Runner registration
 
@@ -107,7 +108,13 @@ sure to use the `podman unshare` command-wrapper to enter the usernamespace.
 For example, to display the config:
 
 ```bash
-$ podman unshare $(podman unshare podman volume mount pipglr-config)/config.toml
+$ podman unshare cat $(podman unshare podman volume mount pipglr-config)/config.toml
+```
+
+Edit the config with your favorite `$EDITOR`:
+
+```bash
+$ podman unshare $EDITOR $(podman unshare podman volume mount pipglr-config)/config.toml
 ```
 
 #### Debugging
@@ -118,9 +125,9 @@ The first thing to check is the container output:
 $ podman logs --since 0 pipglr
 ```
 
-Before starting the runner, you may `export PODMAN_RUNNER_DEBUG=debug` to enable
+Next, try running pipglr after an `export PODMAN_RUNNER_DEBUG=debug` to enable
-debugging on the inner-podman.  Whereas `export LOG_LEVEL=debug` can be used to
+debugging on the inner-podman.  If more runner detail is needed, you can instead/additionally
-debug the gitlab-runner itself.
+set `export LOG_LEVEL=debug` to debug the gitlab-runner itself.
 
 ## Building