[Error] Permission denied: OCI permission denied

[StandingPadAnimations]

Please, before opening a bug:

• make sure you've read the documentation.
• Ensure there isn't already an open issue about this.
• Ensure there isn't already a closed/resolved issue about this.

Describe the bug
Anytime I want to run a container, I get 'Permission denied: OCI permission denied`

To Reproduce

1. Install Distrobox and Podman (rootless)
2. Create a container with Distrobox (distrobox create --name test --image archlinux:latest)
3. Try to enter the container (distrobox enter test)

Expected behavior
Expected to enter the container

Logs
Run the commands with --verbose and post the log here as a file upload
Attach also the output of podman logs or docker logs, possibly with --latest flag
distrobox-log.txt

Desktop (please complete the following information):

• Podman
• 4.6.0
• 1.5.0.2

[Rednax35]

Stuck with the same issue here, and on multiple distros too. I've tested on Fedora 38, Debian 12, and Ubuntu 23.04. I've been sharing a home folder between some distros for a while and sometimes a permission issue crops up. So I rename my containers folder and make a new one, same issue. I run "podman system reset". Same issue. I completely purge podman and distrobox and clear out all configs, same issue. I saw someone say to chmod the home folder to permission 701, but that didn't fix it either.

Also tried installing directly with the alternative installation method so I can get the latest version and its still not working. I can't really think of anything else I can do to fix this.

[Rednax35]

Also, here's my distrobox log when I tried to enter my distrobox with the --verbose flag. podman logs with both the --latest and my container didn't give any output

While I was digging through the log, I noticed that I get a 'failed to write to /proc/self/oom_score_adj: Permission denied' error, which looks like it might be the culprit.

distrobox-log.txt

[89luca89]

This seems related to your podman setup, not to distrobox
Can you verify if you can run the following?

podman run --rm -ti \
--hostname "text" \
--name "my-distrobox" \
--privileged \
--security-opt label=disable \
--user $(id -ru):$(id -rg) \
--ipc host \
--network host \
--pid host \
--label "manager=distrobox" \
--volume /:/run/host:rslave \
--volume /dev:/dev:rslave \
--volume /sys:/sys:rslave \
--volume /tmp:/tmp:rslave \
--volume "$HOME":"$HOME":rslave \
--volume /sys/fs/selinux \
--volume /var/log/journal \
--volume /run/user/$(id -ru):/run/user/$(id -ru):rslave \
--volume /etc/hosts:/etc/hosts:ro \
--volume /etc/resolv.conf:/etc/resolv.conf:ro \
--ulimit host \
--annotation run.oci.keep_original_groups=1 \
--mount type=devpts,destination=/dev/pts \
--userns keep-id \
archlinux:latest bash -l

If this doesn't work then there is a problem with your podman setup

[StandingPadAnimations]

Fails for me:

Error: crun: make `/home/mahid/.local/share/containers/storage/overlay/633cbfd87934d060e7ae9888649fe9b56ec69e3f01723e790843b8e508a52042/merged` private: Permission denied: OCI permission denied

This is what podman info returns, nothing seems out of the ordinary:

host:
  arch: amd64
  buildahVersion: 1.31.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.7-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: f633919178f6c8ee4fb41b848a056ec33f8d707d'
  cpuUtilization:
    idlePercent: 89.81
    systemPercent: 1.94
    userPercent: 8.25
  cpus: 12
  databaseBackend: boltdb
  distribution:
    distribution: '"endeavouros"'
    version: unknown
  eventLogger: journald
  freeLocks: 2042
  hostname: arch
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.4.9-zen1-1-zen
  linkmode: dynamic
  logDriver: journald
  memFree: 3511599104
  memTotal: 16450183168
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: /usr/lib/podman/netavark is owned by netavark 1.7.0-1
    path: /usr/lib/podman/netavark
    version: netavark 1.7.0
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.8.6-1
    path: /usr/bin/crun
    version: |-
      crun version 1.8.6
      commit: 73f759f4a39769f60990e7d225f561b4f4f06bcf
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.0-1
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 42h 50m 14.00s (Approximately 1.75 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/mahid/.config/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 0
    stopped: 4
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/mahid/.local/share/containers/storage
  graphRootAllocated: 511789260800
  graphRootUsed: 100204539904
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/mahid/.local/share/containers/storage/volumes
version:
  APIVersion: 4.6.0
  Built: 1689943108
  BuiltTime: Fri Jul 21 07:38:28 2023
  GitCommit: 38e6fab9664c6e59b66e73523b307a56130316ae-dirty
  GoVersion: go1.20.6
  Os: linux
  OsArch: linux/amd64
  Version: 4.6.0

[89luca89]

I'm not sure about the podman setup, I'd contact your distro package maintainer for that,
it's outside of this project scope

[QazCetelic]

I'm also having this issue on openSUSE Tumbleweed. In my case, it seems to be a compatibility error with Oracle VirtualBox.

Error: unable to start container "f5f2ab42c7534f9a508c2876e1da90fd1a459133f7c7506069a6ed5aaa533fae": runc: runc create failed: unable to start container process: error during container init: error mounting "/dev/vboxusb/003/003" to rootfs at "/dev/vboxusb/003/003": lstat /home/user/.local/share/containers/storage/overlay/5bd6286b117313cbec65341856e55f9baa49af168fa016f279ed80fe89211ba5/merged/dev/vboxusb/003: permission denied: OCI permission denied

[racalle]

I'm also having this issue on openSUSE Tumbleweed. In my case, it seems to be a compatibility error with Oracle VirtualBox.

Error: unable to start container "f5f2ab42c7534f9a508c2876e1da90fd1a459133f7c7506069a6ed5aaa533fae": runc: runc create failed: unable to start container process: error during container init: error mounting "/dev/vboxusb/003/003" to rootfs at "/dev/vboxusb/003/003": lstat /home/user/.local/share/containers/storage/overlay/5bd6286b117313cbec65341856e55f9baa49af168fa016f279ed80fe89211ba5/merged/dev/vboxusb/003: permission denied: OCI permission denied

Hi. Some users on reddit report that giving permissions to every one of this folders work. It worked for me too. You have to give permissions to every folder that is appearing until the run command launches

sudo chmod o+rx /dev/vboxusb
sudo chmod o+rx /dev/vboxusb/003
sudo chmod o+rx /dev/vboxusb/005

And so on.

[zengmao]

Like @racalle's comment, I had to do

sudo chmod o+rx /lost+found
sudo chmod o+rx /root

to start a Ubuntu 24.04 container on my Arch system.

[mhill8]

I found the solution (without changing permissions on /dev/vboxusb/*) here.

The solution is to install crun from your package manager, and recreate your container.

Once I did that, the errors ceased and I was able to create and run containers.

[Free-Radical]

I found the solution (without changing permissions on /dev/vboxusb/*) here.

The solution is to install crun from your package manager, and recreate your container.

Once I did that, the errors ceased and I was able to create and run containers.

F'g THANK YOU!!! Been banging my head on this for 2 hours until i tried your fix.