Describe the bug
Summary
Rootless Podman fails to pull images on Fedora CoreOS 44 due to insufficient UID/GID mappings in the user namespace. The issue is a regression from CoreOS 43, where the same configuration works correctly.
Reproduction steps
- Create a Podman machine using CoreOS 44 (
44.20260607.2.1)
- SSH into the machine
- Attempt to pull any image requiring non-root UIDs/GIDs:
podman image pull docker.io/library/node:26-slim
Expected behavior
Image pulls successfully, as it does on CoreOS 43.
Actual behavior
Error: unable to copy from source docker://node:26-slim: copying system image
from manifest list: writing blob: adding layer with blob
"sha256:72c03230f136...": unpacking failed (error: exit status 1; output:
potentially insufficient UIDs or GIDs available in user namespace (requested
0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid if configured
locally and run "podman system migrate": lchown /etc/gshadow: invalid argument)
System details
| Component |
CoreOS 43 ✅ |
CoreOS 44 ❌ |
| CoreOS version |
43.20260413.3.2 |
44.20260607.2.1 |
| Kernel |
6.19.12-200.fc43 |
7.0.11-200.fc44 |
| Podman |
5.8.1 |
5.8.2 |
| shadow-utils |
4.18.0-3.fc43 |
4.19.0-7.fc44 |
| UID map entries |
2 (correct) |
1 (broken) |
Identical on both versions:
/etc/subuid: core:100000:1000000
/etc/subgid: core:100000:1000000
newuidmap capabilities: cap_setuid=ep
newgidmap capabilities: cap_setgid=ep
graphDriver: overlay
Backing Filesystem: xfs
Butane or Ignition config
Additional information
Root Cause
/proc/self/uid_map and /proc/self/gid_map show only 1 mapping entry on CoreOS 44, meaning the subuid/subgid ranges from /etc/subuid and /etc/subgid are not being applied by newuidmap/newgidmap:
CoreOS 44 (broken):
0 1000 1 ← only UID/GID 0 mapped, GID 42 unreachable
CoreOS 43 (working):
0 1000 1
1 100000 1000000 ← full subuid/subgid range applied
Suspected Causes
In order of likelihood:
- Kernel 6 → 7 regression in user namespace UID/GID mapping handling
- shadow-utils 4.18 → 4.19 regression in
newuidmap/newgidmap behavior
Workaround
Use CoreOS 43 instead:
podman machine init \
--image https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/43.20260413.3.2/x86_64/fedora-coreos-43.20260413.3.2-qemu.x86_64.qcow2.xz
Describe the bug
Summary
Rootless Podman fails to pull images on Fedora CoreOS 44 due to insufficient UID/GID mappings in the user namespace. The issue is a regression from CoreOS 43, where the same configuration works correctly.
Reproduction steps
44.20260607.2.1)Expected behavior
Image pulls successfully, as it does on CoreOS 43.
Actual behavior
System details
Identical on both versions:
Butane or Ignition config
Additional information
Root Cause
/proc/self/uid_mapand/proc/self/gid_mapshow only 1 mapping entry on CoreOS 44, meaning the subuid/subgid ranges from/etc/subuidand/etc/subgidare not being applied bynewuidmap/newgidmap:CoreOS 44 (broken):
CoreOS 43 (working):
Suspected Causes
In order of likelihood:
newuidmap/newgidmapbehaviorWorkaround
Use CoreOS 43 instead: