Machine rootfulness not honored when SSH-ing #25332
Description
Issue Description
When creating two consecutive Podman Machines, the first being being --rootful=false and the second being --rootful=true, podman machine ssh does not honor the rootful status of the second machine.
Steps to reproduce the issue
Steps to reproduce the issue
podman machine init foopodman machine init --now --rootful barpodman machine inspect bar --format '{{ .Rootful }}'podman machine ssh bar whoami
Describe the results you received
$ podman machine init foo
...
$ podman machine init --now --rootful bar
...
$ podman machine inspect bar --format '{{ .Rootful }}'
true
$ podman machine ssh bar whoami
core
Describe the results you expected
$ podman machine init foo
...
$ podman machine init --now --rootful bar
...
$ podman machine inspect bar --format '{{ .Rootful }}'
true
$ podman machine ssh bar whoami
root
podman info output
host:
arch: amd64
buildahVersion: 1.39.0
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.12-2.fc40.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: '
cpuUtilization:
idlePercent: 94.94
systemPercent: 1.34
userPercent: 3.72
cpus: 12
databaseBackend: sqlite
distribution:
distribution: fedora
variant: workstation
version: "40"
eventLogger: journald
freeLocks: 2017
hostname: jcorrent-thinkpadt14gen4.westford.csb
idMappings:
gidmap:
- container_id: 0
host_id: 4209569
size: 1
- container_id: 1
host_id: 165536
size: 165536
uidmap:
- container_id: 0
host_id: 4209569
size: 1
- container_id: 1
host_id: 165536
size: 165536
kernel: 6.12.11-100.fc40.x86_64
linkmode: dynamic
logDriver: journald
memFree: 5789257728
memTotal: 33272819712
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.13.1-1.fc40.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.13.1
package: netavark-1.13.1-1.fc40.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.13.1
ociRuntime:
name: crun
package: crun-1.19.1-1.fc40.x86_64
path: /usr/bin/crun
version: |-
crun version 1.19.1
commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
rundir: /run/user/4209569/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20250121.g4f2c8e7-2.fc40.x86_64
version: |
pasta 0^20250121.g4f2c8e7-2.fc40.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/4209569/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.3.1-1.fc40.x86_64
version: |-
slirp4netns version 1.3.1
commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.5
swapFree: 8589144064
swapTotal: 8589930496
uptime: 72h 23m 57.00s (Approximately 3.00 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
store:
configFile: /home/jcorrent/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/jcorrent/.local/share/containers/storage
graphRootAllocated: 510389125120
graphRootUsed: 109948608512
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 2
runRoot: /run/user/4209569/containers
transientStore: false
volumePath: /home/jcorrent/.local/share/containers/storage/volumes
version:
APIVersion: 5.5.0-dev
Built: 1739565773
BuiltTime: Fri Feb 14 15:42:53 2025
GitCommit: a5f6148a90c7dccd82008dc57714c2f2e4c30c6e
GoVersion: go1.23.5
Os: linux
OsArch: linux/amd64
Version: 5.5.0-devPodman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
❯ bin/podman machine info
host:
arch: amd64
currentmachine: bar
defaultmachine: foo
eventsdir: /run/user/4209569/podman
machineconfigdir: /home/jcorrent/.config/containers/podman/machine/qemu
machineimagedir: /home/jcorrent/.local/share/containers/podman/machine/qemu
machinestate: Running
numberofmachines: 2
os: linux
vmtype: qemu
version:
apiversion: 5.5.0-dev
version: 5.5.0-dev
goversion: go1.23.5
gitcommit: a5f6148a90c7dccd82008dc57714c2f2e4c30c6e
builttime: Fri Feb 14 15:42:53 2025
built: 1739565773
osarch: linux/amd64
os: linux
Additional information
No response