Bug 1985525

Summary: podman: Cannot run Fedora 35/RHEL 9 Beta images due to clone3 incompatibility
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 33CC: acui, bbaude, container-sig, debarshir, dwalsh, jnovy, lsm5, mheon, patrick, pehunt, rh.container.bot, santiago
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1985499 Environment:
Last Closed: 2021-07-24 19:21:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian Weimer 2021-07-23 19:46:18 UTC 
Also happens on Fedora 33 with:

containers-common-1-16.fc33.noarch
libseccomp-2.5.0-3.fc33.x86_64
podman-3.1.2-2.fc33.x86_64

+++ This bug was initially created as a clone of Bug #1985499 +++

Fedora 35 and RHEL 9 Beta will first attempt to use the clone3 system call for thread creation.

The changes are not yet in mainline Fedora rawhide (as a mass rebuild is under way).  Builds are available in Koji: glibc-2.33.9000-44.fc35 or later, or glibc-2.33.9000-46.el9 or later.

After the glibc upgrade, thread creation is no longer possible:

# python3 -c 'import threading; threading.Thread(None, lambda: 0).start()'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib64/python3.10/threading.py", line 928, in start
    _start_new_thread(self._bootstrap, ())
RuntimeError: can't start new thread

strace from outside the container shows the problematic EPERM error:

2667529 clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fd5c687f910, parent_tid=0x7fd5c687f910, exit_signal=0, stack=0x7fd5c607f000, stack_size=0x7fff00, tls=0x7fd5c687f640}, 88) = -1 EPERM (Operation not permitted)
Comment 1 Florian Weimer 2021-07-24 10:44:58 UTC 
Fedora 34 appears to be fine.
Comment 2 Florian Weimer 2021-07-24 19:21:00 UTC 
Fixed for Fedora 33 via: https://bodhi.fedoraproject.org/updates/FEDORA-2021-0c53d8738d