Contact us
ArticlesRocky Linux

Rootless Podman Fails to dnf Update With cpio chown Errors

containersdnfpodmanrocky linuxrootlesstroubleshooting

Ahmer M.
Customer Support Engineer

Jun 27, 2026

Introduction

Inside a rootless Podman container on Rocky Linux, dnf update can fail with cpio: chown failed errors. The cause is how the container maps user IDs to the host.

Problem

Some packages fail to install during dnf update in a rootless container such as rockylinux:8.10.

Symptoms

error: unpacking of archive failed on file /etc/tcsd.conf: cpio: chown failed - No such file or directory
error: unpacking of archive failed on file /var/lib/unbound: cpio: chown failed - Directory not empty
error: trousers-0.3.15-2.el8.x86_64: install failed

The error may also read Invalid argument or Operation not permitted.

Root Cause

A rootless container runs in a user namespace, mapping its user and group IDs to a subordinate ID range on the host (/etc/subuid, /etc/subgid). When rpm sets a file's owner to an ID outside that range, the chown fails. The range must cover every ID the packages use; 65536 is the standard allocation. It breaks when the range is missing, too small, or differs between hosts that share the user's storage.

Resolution

Set a full ID range

Check the ranges:

grep '^user:' /etc/subuid /etc/subgid

Each line should grant at least 65536 IDs (for example user:100000:65536). If it is missing or smaller, set it as root and apply it:

sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 user
podman system migrate

podman system migrate applies the new mapping. Retry dnf update in a fresh container. The newuidmap and newgidmap helpers (shadow-utils) must be installed.

Keep storage on local disk

Podman does not support storage on NFS. If graphroot is on NFS, move it to a local XFS or ext4 path in ~/.config/containers/storage.conf, then re-pull images:

[storage]
driver = "overlay"
graphroot = "/home/user/.local/share/containers/storage"

Single-UID hosts: ignore chown errors

If a full range is not possible (for example a single mapped UID), squash image IDs to your own UID:

[storage.options.overlay]
ignore_chown_errors = "true"

This removes UID separation in the image, so use it only as a fallback.

Notes

Inspect the live mapping: podman unshare cat /proc/self/uid_map.

Sharing one user's storage across hosts is fragile even with matching ranges. Prefer local storage per host.

References & related articles

Podman rootless mode tutorial

Rocky Linux: Rootless Podman (advanced)

Red Hat: Rootless Podman and NFS

Avoiding dbus Errors With cgroups v2 and podman on Rocky Linux 8