Rootless: Permission issue for executable /usr/bin/dumb-init #13720

New Issue

GiteaMirror · 2025-11-02T10:51:17-06:00

GiteaMirror commented

2025-11-02 10:51:17 -06:00

Originally created by @Eoin-ONeill-Yokai on GitHub (Nov 17, 2024).

Description

I'm trying to port my previously docker-based gitea service to a rootless container version. I am using podman compose on a Fedora CoreOS system. I currently have the following docker compose file:

version: "3"

networks:
  home:
    external: true

services:
  server:
    image: gitea/gitea:latest-rootless
    container_name: gitea
    restart: always
    networks:
      - home
    volumes:
      - ./gitea:/data:Z
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "3222:2222"
    security_opt:
      - label=disable

I'll note that I've tried with and without the security_opt entry to override label SELinux protections (I know it's not recommended) and also tried with sudo setenforce 0/1 values but I always get the following error:

...
{"msg":"exec container process `/usr/bin/dumb-init`: Permission denied","level":"error","time":"2024-11-17T22:57:02.854823Z"}
{"msg":"exec container process `/usr/bin/dumb-init`: Permission denied","level":"error","time":"2024-11-17T22:57:15.489072Z"}

My guess would be that the rootless container for some reason is running as a user that doesn't have permission to run executables in /usr/bin but why exactly would this be the case in a rootless container?

I've tried both latest-rootless and nightly-rootless with the same result. I have not tried older versions yet.

Reproduction

Install a fedora CoreOS system
Migrate your data folder from a debian based system that uses docker, make modifications to reflect my existing config.
Make sure folder permissions are set as the user running the podman container. For example, chown -R 1000:1000 ./your-gitea-data-folders.
Try to start the rootless container. You should get dumb-init errors.

Gitea Version

nightly-rootless, latest-rootless

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Fedora CoreOS

How are you running Gitea?

Podman images using podman compose. See above compose file.

Database

None

Originally created by @Eoin-ONeill-Yokai on GitHub (Nov 17, 2024). ### Description I'm trying to port my previously docker-based gitea service to a rootless container version. I am using `podman compose` on a `Fedora CoreOS` system. I currently have the following docker compose file: ``` version: "3" networks: home: external: true services: server: image: gitea/gitea:latest-rootless container_name: gitea restart: always networks: - home volumes: - ./gitea:/data:Z - /etc/localtime:/etc/localtime:ro ports: - "3000:3000" - "3222:2222" security_opt: - label=disable ``` I'll note that I've tried with and without the `security_opt` entry to override label SELinux protections (I know it's not recommended) and also tried with `sudo setenforce 0/1` values but I always get the following error: ``` ... {"msg":"exec container process `/usr/bin/dumb-init`: Permission denied","level":"error","time":"2024-11-17T22:57:02.854823Z"} {"msg":"exec container process `/usr/bin/dumb-init`: Permission denied","level":"error","time":"2024-11-17T22:57:15.489072Z"} ``` My guess would be that the rootless container for some reason is running as a user that doesn't have permission to run executables in `/usr/bin` but why exactly would this be the case in a rootless container? I've tried both `latest-rootless` and `nightly-rootless` with the same result. I have not tried older versions yet. ### Reproduction Install a fedora CoreOS system Migrate your data folder from a debian based system that uses docker, make modifications to reflect my existing config. Make sure folder permissions are set as the user running the podman container. For example, `chown -R 1000:1000 ./your-gitea-data-folders`. Try to start the rootless container. You should get dumb-init errors. ### Gitea Version nightly-rootless, latest-rootless ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System Fedora CoreOS ### How are you running Gitea? Podman images using podman compose. See above compose file. ### Database None

GiteaMirror added the type/bug issue/workaround labels 2025-11-02 10:51:17 -06:00

GiteaMirror commented

2025-11-02 10:51:18 -06:00

@Eoin-ONeill-Yokai commented on GitHub (Nov 17, 2024):

One additional note:

I've also tried with no ported configuration just now and it continues to fail to execute dumb-init due to permission errors. So even on a plain-jane CoreOS installation the above docker compose configuration should still fail to run.

@Eoin-ONeill-Yokai commented on GitHub (Nov 17, 2024): One additional note: I've *also* tried with no ported configuration just now and it continues to fail to execute `dumb-init` due to permission errors. So even on a plain-jane CoreOS installation the above docker compose configuration should still fail to run.

GiteaMirror commented

2025-11-02 10:51:18 -06:00

@Hydrostic commented on GitHub (Mar 10, 2025):

I also encountered this problem and finally solved it by using chown under podman unshare. By default podman maps current user's id on host to root(0) in container, and the Dockerfile specifies the running user to be 1000 in container, so user 1000 will not be allowed to operate on mounted directory. You can use following commands to fix it.

podman unshare
mkdir config data # if haven't created
chown -R 1000:1000 config data
exit

Maybe we could add these commands to documentation so people won't get confused?

@Hydrostic commented on GitHub (Mar 10, 2025): I also encountered this problem and finally solved it by using `chown` under `podman unshare`. By default podman maps current user's id on host to root(0) in container, and the `Dockerfile` specifies the running user to be 1000 in container, so user 1000 will not be allowed to operate on mounted directory. You can use following commands to fix it. ```bash podman unshare mkdir config data # if haven't created chown -R 1000:1000 config data exit ``` Maybe we could add these commands to documentation so people won't get confused?

GiteaMirror commented

2025-11-02 10:51:18 -06:00

@clone-888 commented on GitHub (Apr 7, 2025):

I managed to solve this by switching podman-rootless to vfs:

cat ~/.config/containers/storage.conf

[storage]
driver = "vfs"

sudo rm -rf ~/.local/share/containers/storage/*

then following instructions by Hydrostic above

@clone-888 commented on GitHub (Apr 7, 2025): I managed to solve this by switching podman-rootless to vfs: `cat ~/.config/containers/storage.conf` ``` [storage] driver = "vfs" ``` `sudo rm -rf ~/.local/share/containers/storage/*` then following instructions by Hydrostic above

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#13720

Rootless: Permission issue for executable /usr/bin/dumb-init #13720

Description

Reproduction

Gitea Version

Can you reproduce the bug on the Gitea demo site?

Log Gist

Screenshots

Git Version

Operating System

How are you running Gitea?

Database

Rootless: Permission issue for executable `/usr/bin/dumb-init` #13720