Bug 1923986

Summary: podman: Installation instructions for rootless podman do not work
Product: Red Hat Enterprise Linux 8 Reporter: Florian Weimer <fweimer>
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.4CC: ajia, bbaude, ddarrah, dwalsh, gnecasov, jligon, jnovy, jwboyer, lfriedma, lsm5, mheon, pthomas, tsweeney, umohnani, ypu
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-3.0.1-6.el8_4 or newer Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:34:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Package manifest none

Description Florian Weimer 2021-02-02 11:25:29 UTC 
Created attachment 1754345 [details]
Package manifest

I tried to follow the setup instructions at:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index?extIdCarryOver=true&sc_cid=701f2000001Css5AAC#set_up_for_rootless_containers

but encounter this:

# su - test
Last login: Tue Feb  2 06:03:27 EST 2021 on pts/1
$ sysctl user.max_user_namespaces
user.max_user_namespaces = 28633
$ podman run -i -t ubi8/ubi /bin/bash
WARN[0000] Failed to add podman to systemd sandbox cgroup: dial unix /run/user/0/bus: connect: permission denied 
Resolved short name "ubi8/ubi" to a recorded short-name alias (origin: /etc/containers/registries.conf.d/shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8/ubi:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob d9e72d058dc5 done  
Copying blob cca21acb641a done  
Copying config 3269c37eae done  
Writing manifest to image destination
Storing signatures
Error: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:59: mounting "sysfs" to rootfs at "/sys" caused: operation not permitted: OCI permission denied

The error appears to be independent of the image.

Some package version:

podman-3.0.0-0.33rc2.module+el8.4.0+9742+44abad1f.x86_64
runc-1.0.0-70.rc92.module+el8.4.0+9742+44abad1f.x86_64
libseccomp-2.4.3-1.el8.x86_64

Full manifest attached.
Comment 1 Daniel Walsh 2021-02-03 14:30:30 UTC 
Could you check your audit.log to see if this is caused via SELinux or seccomp?
Comment 2 Florian Weimer 2021-02-03 14:58:56 UTC 
ausearch -ts recent does not report anything, and /var/log/audit/audit.log is not updated either. “setenforce 0” does not fix the issue.

Are you able to reproduce the issue?
Comment 3 Tom Sweeney 2021-02-03 15:18:36 UTC 
I've added Gabriela as an FYI.
Comment 4 Daniel Walsh 2021-02-03 21:25:39 UTC 
Do you have the auditd daemon running?

Looks like it is not selinux.

Try --security-opt seccomp=unconfined

This will turn off seccomp separation.
Comment 5 Florian Weimer 2021-02-04 10:25:20 UTC 
(In reply to Daniel Walsh from comment #4)
> Do you have the auditd daemon running?

Yes, it's in the process list.

> Looks like it is not selinux.
> 
> Try --security-opt seccomp=unconfined
> 
> This will turn off seccomp separation.

Like this?

$ podman run -i -t --security-opt seccomp=unconfined ubi8/ubi /bin/bash
WARN[0000] Failed to add podman to systemd sandbox cgroup: dial unix /run/user/0/bus: connect: permission denied 
Error: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:59: mounting "sysfs" to rootfs at "/sys" caused: operation not permitted: OCI permission denied

Same error message.

Note that this is not blocking me in any way, and my goal wasn't to get this working. I merely wanted to alert you to this apparent regression.
Comment 6 Florian Weimer 2021-04-12 06:58:12 UTC 
I think this regression has been fixed. I no longer see it with the RHEL-8.4.0-20210409.0 compose. Some relevant package versions:

libseccomp-2.5.1-1.el8.x86_64
kernel-4.18.0-304.el8.x86_64
podman-3.0.1-6.module+el8.4.0+10607+f4da7515.x86_64
runc-1.0.0-70.rc92.module+el8.4.0+10607+f4da7515.x86_64
Comment 7 Alex Jia 2021-04-12 07:56:58 UTC 
(In reply to Florian Weimer from comment #6)
> I think this regression has been fixed. I no longer see it with the
> RHEL-8.4.0-20210409.0 compose. Some relevant package versions:

Thank you Florian, it also works for me.

[test@ibm-x3650m4-01-vm-10 ~]$ podman run -i -t --security-opt seccomp=unconfined ubi8/ubi /bin/bash
Resolved "ubi8/ubi" as an alias (/etc/containers/registries.conf.d/rhel-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8/ubi:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 13897c84ca57 done
Copying blob 64607cc74f9c done
Copying config 9992f11c61 done
Writing manifest to image destination
Storing signatures
[root@8d005811aa7f /]# ls
bin  boot  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
[root@8d005811aa7f /]# pwd
/
[root@8d005811aa7f /]# exit
exit
[test@ibm-x3650m4-01-vm-10 ~]$ echo $?
0
Comment 8 Jindrich Novy 2021-04-12 08:48:58 UTC 
No changes in dist-git is required, this bug is already fixed in the current 8.4.0 content. Laurie, do you mind setting release+ on this one so that I can attach it to the advisory please? Testing evidences are comment #6 and comment #7.
Comment 10 Jindrich Novy 2021-04-12 08:50:24 UTC 
Alex, can you please qa_ack this one?
Comment 20 errata-xmlrpc 2021-05-18 15:34:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1796