Bug 1866833

Summary: Podman 1.9.3 fails to run container when /etc/secuity/limits.conf is used
Product: Red Hat Enterprise Linux 8 Reporter: Anthony Hogbin <ahogbin>
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.2CC: ajia, bbaude, dornelas, dwalsh, jligon, jnovy, lsm5, mheon, tsweeney, ypu
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-2.0.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:06:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1804543    

Description Anthony Hogbin 2020-08-06 14:10:03 UTC 
Description of problem:
=======================
When /etc/security/rlimits.conf are set, podman will not run containers as a user / rootless. It will continue to run containers as the root user. This problem has been noted upgrading to the current release.


Version-Release number of selected component (if applicable):
=============================================================
Name : podman
Version : 1.9.3
Release : 2.module+el8.2.1+6867+366c07d6
Architecture : x86_64
Size : 60 M
Source : podman-1.9.3-2.module+el8.2.1+6867+366c07d6.src.rpm
Repository : @System
From repo : rhel-8-for-x86_64-appstream-rpms


How reproducible:
=================
100%


Steps to Reproduce:
===================
1. Add configuration to /etc/security/limits.conf - for example:
* hard maxlogins 10
* hard core 0
* hard nofile 65536
* soft nofile 32768
* hard nproc 16384
* soft nproc 8192

2. As a non root user, now attempt to run a container.

3. Failure to run container with errors.


Actual results:
===============

[joeqpublic@rhel8-2 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Trying to pull registry.access.redhat.com/ubi8/ubi...
Getting image source signatures
Copying blob 47db82df7f3f done  
Copying blob 77c58f19bd6e done  
Copying config a1f8c96997 done  
Writing manifest to image destination
Storing signatures
Error: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:378: setting rlimits for ready process caused \\\"error setting rlimit type 6: invalid argument\\\"\"": OCI runtime error


Expected results:
=================

[joeqpublic@rhel8-2 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
[root@28c1c2edb3ee /]# 


Additional info:
================
This github issue seems to match https://github.com/containers/podman/issues/6389

$ cat /etc/security/limits.conf | egrep '^\*'
* hard maxlogins 10
* hard core 0
* hard nofile 65536
* soft nofile 32768
* hard nproc 16384
* soft nproc 8192

Fix appears to be

# cp /usr/share/containers/containers.conf /etc/containers.conf

and apply following changes

default_ulimits = [
  "nofile=32769:65536",
  "nproc=8192:16384",
]

podman system migrate

the above podman run command will now work
Comment 2 Tom Sweeney 2020-08-06 20:56:31 UTC 
Giuseppe, can you look at this please?
Comment 3 Daniel Walsh 2020-08-07 10:54:20 UTC 
Are they having this on newly created containers?
Comment 4 Anthony Hogbin 2020-08-07 13:08:21 UTC 
Daniel - I have tested with new - and the issue presents. Yes.

This is not specific to their repo or images.

Using the steps above it can be recreated.

Returning things to as they were and rootless works fine again.
Comment 5 Daniel Walsh 2020-08-07 14:45:25 UTC 
Could you look at Fedora and do the same thing, and see if it works in the current release?
Comment 6 Anthony Hogbin 2020-08-14 13:59:05 UTC 
@Daniel as requested Fedora 32 Server created, and same procedure to recreate.

There is no issue as shown below:

[ahogbin@fedora32 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Trying to pull registry.access.redhat.com/ubi8/ubi...
Getting image source signatures
Copying blob 77c58f19bd6e done  
Copying blob 47db82df7f3f done  
Copying config a1f8c96997 done  
Writing manifest to image destination
Storing signatures

[root@713a6824b04b /]# exit

Yum search shows the following podman installed:

Name         : podman
Epoch        : 2
Version      : 2.0.4
Release      : 1.fc32
Architecture : x86_64
Size         : 50 M
Source       : podman-2.0.4-1.fc32.src.rpm
Comment 7 Daniel Walsh 2020-08-17 14:47:39 UTC 
This will be fixed in RHEL8.3
podman 2.0.4 or newer.
Comment 8 Tom Sweeney 2020-08-17 19:08:01 UTC 
Assigning to Jindrich for any further packaging needs.  Jindrich please also change the status of the BZ if necessary.
Comment 12 Alex Jia 2020-08-25 16:51:38 UTC 
I can reproduce this bug on podman-1.9.3-2.module+el8.2.1+6867+366c07d6.x86_64,
and verified it on podman-2.0.2-2.module+el8.3.0+7374+9d949f97.x86_64
and podman-2.0.4-3.module+el8.3.0+7716+ce654703.x86_64.


[ajia@hpe-dl380pgen8-02-vm-15 ~]$ rpm -q podman
podman-1.9.3-2.module+el8.2.1+6867+366c07d6.x86_64
[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman unshare cat /proc/self/uid_map
         0       1001          1
         1     165536      65536
[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Error: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: process_linux.go:382: setting rlimits for ready process caused: error setting rlimit type 6: invalid argument: OCI runtime error


[ajia@hpe-dl380pgen8-02-vm-15 ~]$ rpm -q podman podman-catatonit
podman-2.0.2-2.module+el8.3.0+7374+9d949f97.x86_64
podman-catatonit-2.0.2-2.module+el8.3.0+7374+9d949f97.x86_64
[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman unshare cat /proc/self/uid_map
         0       1001          1
         1     165536      65536
[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Trying to pull registry.access.redhat.com/ubi8/ubi...
Getting image source signatures
Copying blob 77c58f19bd6e done
Copying blob 47db82df7f3f done
Copying config a1f8c96997 done
Writing manifest to image destination
Storing signatures
[root@e1197ca55998 /]#


[ajia@hpe-dl380pgen8-02-vm-15 ~]$ rpm -q podman podman-catatonit
podman-2.0.4-3.module+el8.3.0+7716+ce654703.x86_64
podman-catatonit-2.0.4-3.module+el8.3.0+7716+ce654703.x86_64

[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Trying to pull registry.access.redhat.com/ubi8/ubi...
Getting image source signatures
Copying blob 47db82df7f3f done
Copying blob 77c58f19bd6e done
Copying config a1f8c96997 done
Writing manifest to image destination
Storing signatures
[root@a8e39c253e80 /]#
Comment 15 errata-xmlrpc 2020-11-04 03:06:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4694