default additionalimagestore for non-root users

[hmoffatt]

Issue Description

I configured /etc/containers/storage.conf to set an additionalimagestore. The additional image store is seen (in podman image ls) by root, but not by non-root users. I do not have any ~/.config/containers/storage.conf at this time.

If I add it to ~/.config/containers/storage.conf instead, it works.

As discussed in #19807

Steps to reproduce the issue

Steps to reproduce the issue

1. Create additional image store as non-root user: podman pull --root=$HOME/tmp/store docker.io/library/debian:bookworm
2. Add new store to /etc/containers/storage.conf
3. Run podman image ls and note missing new container / absence of R/O column

Describe the results you received

New image store is not used unless added to user's own .config/containers/storage.conf instead

Describe the results you expected

New image store is seen by all users without editing their own configs

podman info output

host:
  arch: amd64
  buildahVersion: 1.31.2
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon_100:2.1.7-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: f633919178f6c8ee4fb41b848a056ec33f8d707d'
  cpuUtilization:
    idlePercent: 87.69
    systemPercent: 3.36
    userPercent: 8.96
  cpus: 20
  databaseBackend: boltdb
  distribution:
    codename: bookworm
    distribution: debian
    version: "12"
  eventLogger: file
  freeLocks: 2046
  hostname: devil
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.1.0-11-amd64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 6886309888
  memTotal: 33363566592
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: podman-aardvark-dns_100:1.4.0-1_amd64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.4.0
    package: podman-netavark_100:1.4.0-1_amd64
    path: /usr/libexec/podman/netavark
    version: netavark 1.4.0
  ociRuntime:
    name: runc
    package: cri-o-runc_100:1.1.4-1_amd64
    path: /usr/lib/cri-o-runc/sbin/runc
    version: |-
      runc version unknown
      spec: 1.0.2-dev
      go: go1.19.3
      libseccomp: 2.5.4
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_100:1.2.0-1_amd64
    version: |-
      slirp4netns version 1.2.0
      commit: unknown
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 20002631680
  swapTotal: 20002631680
  uptime: 30h 35m 20.00s (Approximately 1.25 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  docker.io:
    Blocked: false
    Insecure: false
    Location: docker.io
    MirrorByDigestOnly: false
    Mirrors:
    - Insecure: false
      Location: mirror.gcr.io
      PullFromMirror: ""
    Prefix: docker.io
    PullFromMirror: ""
store:
  configFile: /home/hamish/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/hamish/.local/share/containers/storage
  graphRootAllocated: 986241146880
  graphRootUsed: 409645572096
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 23
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/hamish/.local/share/containers/storage/volumes
version:
  APIVersion: 4.6.1
  Built: 0
  BuiltTime: Thu Jan  1 10:00:00 1970
  GitCommit: ""
  GoVersion: go1.21.0
  Os: linux
  OsArch: linux/amd64
  Version: 4.6.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[giuseppe]

/etc/containers/storage.conf is used only for the root configuration.

The reason for that is that most knobs there do not apply to rootless.

For example, a regular additional image store owned by root won't work for rootless, unless all its files are stored with mode 0755, store the original mode in a xattr and you are using fuse-overlayfs to access them.

[hmoffatt]

I thought this might be the case (although strace shows that the file is accessed by podman running as a non-root user), and obviously permissions on the image store have to be set appropriately.

So is there a way I can configure an additional image store for all rootless users?

[baude]

@giuseppe might be nice to figure this one out. additional stores are going to become more important down the line and it seems reasonable to have a configuration that would be applied for all rootless users?

@rhatdan i thought /etc/containers/containers.conf would be honored by rootless users too?

[giuseppe]

an additional store must be in a specific format before it can be used by a rootless user, and the rootless user must use fuse-overlayfs. I don't think we should force this behavior whenever an additional store is configured for root.

containers.conf is honored for rootless, storage.conf is not.

If we want to configure storage in a centralized way for rootless users, we probably need a new file like /etc/containers/storage-rootless.conf

[rhatdan]

Yes, I think we need a new file.

[baude]

@giuseppe can you please capture this in a jira card?

[giuseppe]

done https://issues.redhat.com/browse/RUN-1902

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[danishprakash]

@giuseppe if this is still relevant, mind If I take this up? (the ticket seems to be still open)

[giuseppe]

@danishprakash sure, that would be great. Please don't hesitate to ask if you need anything

[xdNecron]

Is there any progress on this issue? Since last May there's no activity on the Jira card either.