Bug 1848078
Summary: | Cannot run oci-seccomp-bpf-hook with Podman and Crun with cgroups V2 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Scott McCarty <smccarty> |
Component: | oci-seccomp-bpf-hook | Assignee: | Lokesh Mandvekar <lsm5> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 32 | CC: | jnovy, lsm5, rh.container.bot, vrothber |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | oci-seccomp-bpf-hook-1.1.1-1.fc32 oci-seccomp-bpf-hook-1.1.1-1.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-06-27 02:06:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Scott McCarty
2020-06-17 16:06:31 UTC
What version of podman are you using btw? Seems to work for me on f32 without bpftrace. lsm5 @ nagato : ~(master) $ podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls Trying to pull registry.fedoraproject.org/fedora:30... Getting image source signatures Copying blob ec1dd3aa5ab3 done Copying config c197b0ab77 done Writing manifest to image destination Storing signatures bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var lsm5 @ nagato : ~(master) $ rpm -q oci-seccomp-bpf-hook bpftrace podman oci-seccomp-bpf-hook-1.1.0-2.fc32.x86_64 package bpftrace is not installed podman-2.0.0-0.2.rc6.fc32.x86_64 Note that it works on Fedora 32 Workstation but not on Fedora 32 _Server_. We made the same observation on the Fedora Cloud images. Curious enough, it works after executing some of the bpftools: ``` [root@localhost ~]# /usr/share/bcc/tools/hardirqs Tracing hard irq event time... Hit Ctrl-C to end. ^C HARDIRQ TOTAL_usecs [root@localhost ~]# podman run --annotation io.containers.trace-syscall=of:/tmp/ls.json fedora:30 ls bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var ``` Note that it stops working after a reboot. Thanks to the mighty Giuseppe Scrivano, we found that `modprobe kheaders` solves the issue. I'll prepare a PR upstream. v1.1.1 of the hook has just been released and fixes the issue: https://github.com/containers/oci-seccomp-bpf-hook/releases/tag/v1.1.1 FEDORA-2020-d52fcbe01d has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d52fcbe01d FEDORA-2020-1177983024 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-1177983024 FEDORA-2020-1177983024 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-1177983024` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-1177983024 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-d52fcbe01d has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-d52fcbe01d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d52fcbe01d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-d52fcbe01d has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-1177983024 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. |