I have an indico instance that is up and running with no problems. With the last update, however, we were told that we should use podman to install latex, but the instructions on the website don’t seem to work for me on a Debian VM.
In particular, after installing podman and setting up the subuids and subgids, the command indico maint pull-latex-image gives the following error (I am executing this as the indico user)
Pulling image: registry.gitlab.com/islandoftex/images/texlive:TL2026-2026-03-08-full
ERRO[0000] running /usr/bin/newuidmap 413859 0 999 1 1 100000 65536: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using “/usr/bin/newuidmap”: exit status 1
I’ve done some searching on what this error message means, but I haven’t been able to find a way to fix it. Does anyone have any suggestions?
For testing I recommend trying to run a simple container w/o involving any Indico code. Try running this as the indico shell user: podman run -it --rm alpine:latest id
Also, share the output of these commands:
cat /etc/subuidcat /etc/subgidgrep indico /etc/passwdls -l $(which newuidmap)podman unshare id
root@myserver ~$ su - indico
((indico) ) indico@myserver ~$ podman run -it --rm alpine:latest id
ERRO[0000] running `/usr/bin/newuidmap 433071 0 999 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
((indico) ) indico@myserver ~$ cat /etc/subuid
indico:100000:65536
((indico) ) indico@myserver ~$ cat /etc/subgid
indico:100000:65536
((indico) ) indico@myserver ~$ grep indico /etc/passwd
indico:x:999:33::/opt/indico:/bin/bash
((indico) ) indico@myserver ~$ ls -l $(which newuidmap)
-rwxr-xr-x 1 root root 59336 Dec 14 15:00 /usr/bin/newuidmap
((indico) ) indico@myserver ~$ podman unshare id
ERRO[0000] running `/usr/bin/newuidmap 433126 0 999 1 1 100000 65536`: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": exit status 1
For some reason your newuidmap command isn’t setuid. Don’t ask me why though… unless your debian version uses fcaps instead (check using getcap /usr/bin/newuidmap) but I don’t think that’s common. Which Debian version are you using? (lsb_release -a)?
I’m using bookworm. For getcap /usr/bin/newuidmap I get
/usr/bin/newuidmap cap_setuid=ep
OK, so it uses caps instead of setuid. All fine then. Well, except that I have no idea why it’s not working… I recommend asking in a Debian-specific place (e.g. one of their IRC channels). You can skip all the Indico-specific things there and simply explain that rootless podman is not working for you and share the error from the podman unshare command (that’s the easiest reproducer since all it does is trying to run a command in the uid namespace it would use for the containers)
PS: Debian bookworm does end of life in just a month. You may want to consider upgrading to trixie and see if it works there.