Bug 1947999
Summary: | rootless podman --cgroup-manager=cgroupfs run command causes OCI permission error when CGroups V2 is enabled | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Alex Jia <ajia> |
Component: | runc | Assignee: | Jindrich Novy <jnovy> |
Status: | CLOSED ERRATA | QA Contact: | Alex Jia <ajia> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 8.4 | CC: | dwalsh, gscrivan, jnovy, leiwang, mheon, tsweeney |
Target Milestone: | beta | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | podman-3.3.0-0.13.el8 or newer | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-09 17:37:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alex Jia
2021-04-09 17:29:41 UTC
Matt, can you take a look at this early next week and see if it's at all related to https://bugzilla.redhat.com/show_bug.cgi?id=1947432? I see no reason to believe these two BZs are related. This is a CGroups issue, the previous one was a readonly-paths issue. This looks like, specifically, a permission denied on making a directory in cgroupfs while part of a `podman unshare` shell? I'm reassigning to Giuseppe given cgroups are more his area of expertise. opened a PR: https://github.com/containers/podman/pull/9996 This bug has been fixed on podman-3.2.0-0.11. [test@kvm-07-guest01 ~]$ cat /etc/redhat-release Red Hat Enterprise Linux release 8.5 Beta (Ootpa) [test@kvm-07-guest01 ~]$ rpm -q podman crun runc kernel podman-3.2.0-0.11.module+el8.5.0+10952+e23bdbc3.x86_64 crun-0.19.1-1.module+el8.5.0+10952+e23bdbc3.x86_64 runc-1.0.0-72.rc93.module+el8.5.0+10952+e23bdbc3.x86_64 kernel-4.18.0-305.1.el8.x86_64 [test@kvm-07-guest01 ~]$ podman unshare cat /proc/self/uid_map 0 1000 1 1 100000 65536 [test@kvm-07-guest01 ~]$ grep cgroup /proc/mounts cgroup2 /sys/fs/cgroup cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime,nsdelegate 0 0 [test@kvm-07-guest01 ~]$ podman info --format json | jq .host.ociRuntime { "name": "runc", "package": "runc-1.0.0-72.rc93.module+el8.5.0+10952+e23bdbc3.x86_64", "path": "/usr/bin/runc", "version": "runc version spec: 1.0.2-dev\ngo: go1.16.1\nlibseccomp: 2.5.1" } [test@kvm-07-guest01 ~]$ podman --cgroup-manager=cgroupfs --runtime=runc run --name myc quay.io/libpod/testimage:20200929 true Trying to pull quay.io/libpod/testimage:20200929... Getting image source signatures Copying blob 5c10a2f1fe01 done Copying config 766ff5a3a7 done Writing manifest to image destination Storing signatures [test@kvm-07-guest01 ~]$ podman --cgroup-manager=cgroupfs --runtime=crun run --name mycnt quay.io/libpod/testimage:20200929 true [test@kvm-07-guest01 ~]$ echo $? 0 [test@kvm-07-guest01 ~]$ podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [test@kvm-07-guest01 ~]$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 93f6ff60824f quay.io/libpod/testimage:20200929 true 2 minutes ago Exited (0) 2 minutes ago myc 699d3c3a69a1 quay.io/libpod/testimage:20200929 true 7 seconds ago Exited (0) 7 seconds ago mycnt This bug has been verified on runc-1.0.1-3.module+el8.5.0+12014+438a5746. [test@kvm-02-guest15 ~]$ cat /etc/redhat-release Red Hat Enterprise Linux release 8.5 Beta (Ootpa) [test@kvm-02-guest15 ~]$ rpm -q runc podman kernel runc-1.0.1-3.module+el8.5.0+12014+438a5746.x86_64 podman-3.3.0-0.17.module+el8.5.0+12014+438a5746.x86_64 kernel-4.18.0-325.el8.x86_64 [test@kvm-02-guest15 ~]$ grep cgroup /proc/mounts cgroup2 /sys/fs/cgroup cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime,nsdelegate 0 0 [test@kvm-02-guest15 ~]$ podman unshare cat /proc/self/uid_map 0 1000 1 1 100000 65536 [test@kvm-02-guest15 ~]$ podman info --format json|jq .host.ociRuntime { "name": "runc", "package": "runc-1.0.1-3.module+el8.5.0+12014+438a5746.x86_64", "path": "/usr/bin/runc", "version": "runc version unknown\nspec: 1.0.2-dev\ngo: go1.16.6\nlibseccomp: 2.5.1" } [test@kvm-02-guest15 ~]$ podman --cgroup-manager=cgroupfs run --name myc quay.io/libpod/testimage:20200929 true Trying to pull quay.io/libpod/testimage:20200929... Getting image source signatures Copying blob 5c10a2f1fe01 done Copying config 766ff5a3a7 done Writing manifest to image destination Storing signatures [test@kvm-02-guest15 ~]$ echo $? 0 [test@kvm-02-guest15 ~]$ podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 494d7cfbd768 quay.io/libpod/testimage:20200929 true 21 seconds ago Exited (0) 22 seconds ago myc [test@kvm-02-guest15 ~]$ podman --cgroup-manager=cgroupfs --runtime=crun run --name mycnt quay.io/libpod/testimage:20200929 true [test@kvm-02-guest15 ~]$ echo $? 0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4154 |