How to running Podman on Debian 12?

[ChanningHe]

In the template, the docs used Fedora to run Podman. I successfully ran it according to the README, but when I switched to Debian 12, it showed the following error.

rootless@podman:~$ podman run hello-world
ERRO[0000] running `/usr/bin/newuidmap 513 0 1000 1 1 65536 65536`: newuidmap: open of uid_map failed: Permission denied 
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1

The settings for subuid and subgid should be correct, and the template settings are as follows.

rootless@podman:~$ cat /etc/subuid
rootless:65536:65536
rootless@podman:~$ cat /etc/subgid
rootless:65536:65536

startup=1
gpu_passthrough_intel=0
gpu_passthrough_nvidia=0
# Turning off seccomp filtering improves performance at the expense of security
seccomp=1

# Use bridge networking to provide an isolated network namespace,
# so podman can manage firewall rules
# Alternatively use --network-macvlan=eno1 instead of --network-bridge
# Ensure to change eno1/br1 to the interface name you want to use
# You may want to add additional options here, e.g. bind mounts
systemd_nspawn_user_args=--network-bridge=br0
        --resolv-conf=bind-host
        --system-call-filter='add_key keyctl bpf'
        --private-users=524288:131072
#       --private-users-ownership=chown

# Script to run on the HOST before starting the jail
# Load kernel module and config kernel settings required for podman
pre_start_hook=#!/usr/bin/bash
        set -euo pipefail
        echo 'PRE_START_HOOK'
        echo 1 > /proc/sys/net/ipv4/ip_forward
        modprobe br_netfilter
        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables

# Only used while creating the jail
distro=debian
release=bookworm

# Install podman inside the jail
initial_setup=#!/usr/bin/bash
        set -euo pipefail
        sleep 60
        apt update && apt -y install podman

# You generally will not need to change the options below
systemd_run_default_args=--property=KillMode=mixed
        --property=Type=notify
        --property=RestartForceExitStatus=133
        --property=SuccessExitStatus=133
        --property=Delegate=yes
        --property=TasksMax=infinity
        --collect
        --setenv=SYSTEMD_NSPAWN_LOCK=0

systemd_nspawn_default_args=--keep-unit
        --quiet
        --boot
        --bind-ro=/sys/module
        --inaccessible=/sys/module/apparmor

jlmkr version=2.1.0

Did I miss anything, or is there something else that needs to be set in Debian 12?

[ChanningHe]

when I create Debian 12 with --private-users=524288:65536 --private-users-ownership=chown, the following error will be prompted.

Enter jail name: podman

Do you want to start this jail now (when create is done)? [Y/n] y

Creating ZFS Dataset Kiwi/jailmaker/jails/podman
Using image from local cache
Unpacking the rootfs

---
You just created a Debian bookworm amd64 (20240811_05:59) container.

To enable SSH, run: apt install openssh-server
No default root or user password are set by LXC.

Starting jail podman with the following command:

systemd-run --property=KillMode=mixed --property=Type=notify --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=Delegate=yes --property=TasksMax=infinity --collect --setenv=SYSTEMD_NSPAWN_LOCK=0 --unit=jlmkr-podman --working-directory=/mnt/Kiwi/jailmaker/jails/podman '--description=My nspawn jail podman [created with jailmaker]' --property=ExecStartPre=/mnt/Kiwi/jailmaker/jails/podman/.ExecStartPre -- systemd-nspawn --keep-unit --quiet --boot --bind-ro=/sys/module --inaccessible=/sys/module/apparmor --machine=podman --directory=rootfs --notify-ready=yes --network-bridge=br0 --resolv-conf=bind-host '--system-call-filter=add_key keyctl bpf' --private-users=524288:65536 --private-users-ownership=chown

Running as unit: jlmkr-podman.service
About to run the initial setup script: jlmkr-initial-setup.top3cxh2.
Waiting for networking in the jail to be ready.
Please wait (this may take 90s in case of bridge networking with STP is enabled)...
Failed to find executable /jlmkr-initial-setup.top3cxh2: Permission denied
Tried to run the following commands inside the jail:
#!/usr/bin/bash
set -euo pipefail
#apt update && apt -y install podman uidmap

Failed to run initial setup...
You may want to manually run /jlmkr-initial-setup.top3cxh2 inside the jail for debugging purposes.
Or stop and remove the jail and try again.

[ChanningHe]

It seems that only the rootless user does not have permission for /usr/bin/newuidmap /usr/bin/newgidmap.

chmod u-s /usr/bin/newuidmap
chmod u-s /usr/bin/newgidmap

[ronie-camilo]

How to create a Jail running Rocky Linux on TrueNAS Scale 24.04.2?