Bug 2117928
Summary: | Error: runc: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: OCI permission denied | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Sameer <snangare> | |
Component: | runc | Assignee: | Jindrich Novy <jnovy> | |
Status: | CLOSED ERRATA | QA Contact: | Alex Jia <ajia> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 8.6 | CC: | ajia, dornelas, fandrieu, gscrivan, jaykim, jiazhang, jnovy, kir, mamccoma, matthew.lesieur, mheon, rcarrier, rmanes, tsweeney, ypu | |
Target Milestone: | rc | Keywords: | Regression, Triaged, ZStream | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | runc-1.1.3-3.el8 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2124699 2124700 2137345 (view as bug list) | Environment: | ||
Last Closed: | 2022-11-08 09:16:44 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2124700, 2125648, 2137345 |
Comment 1
Alex Jia
2022-08-16 02:08:16 UTC
Giuseppe, could you take a look at this please? it seems a regression caused by: commit 343951a22b58c38feb044a5cea501dae92f8540e (HEAD, refs/bisect/bad) Author: Aleksa Sarai <cyphar> Date: Thu Jun 2 12:07:00 2022 +1000 cgroups: systemd: skip adding device paths that don't exist systemd emits very loud warnings when the path specified doesn't exist (which can be the case for some of our default rules). We don't need the ruleset we give systemd to be completely accurate (we discard some kinds of wildcard rules anyway) so we can safely skip adding these. Signed-off-by: Aleksa Sarai <cyphar> There is a PR already opened upstream to address this issue: https://github.com/opencontainers/runc/pull/3559 Assigning to Jindrich for any further BZ or packaging needs. Seeing the PR merged, we need to wait for a new runc release with this patch included. Reported upstream as https://github.com/opencontainers/runc/issues/3551 Caused by https://github.com/opencontainers/runc/pull/3498 (backported to 1.1 as https://github.com/opencontainers/runc/pull/3504) Fixed by https://github.com/opencontainers/runc/pull/3559 (backported to 1.1 as https://github.com/opencontainers/runc/pull/3554) Fixed in runc 1.1.4, released today. To clarify, this is a regression in runc 1.1.3 (so runc <= 1.1.2 is not affected), which is now fixed in runc 1.1.4. This bug has been verified on runc-1.1.4-1.module+el8.7.0+16493+89f82ab8.x86_64. [root@hpe-dl380pgen8-02-vm-7 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 Beta (Ootpa) [root@hpe-dl380pgen8-02-vm-7 ~]# rpm -q runc podman systemd kernel runc-1.1.4-1.module+el8.7.0+16493+89f82ab8.x86_64 podman-4.2.0-1.module+el8.7.0+16493+89f82ab8.x86_64 systemd-239-65.el8.x86_64 kernel-4.18.0-422.el8.x86_64 [root@hpe-dl380pgen8-02-vm-7 ~]# podman -v podman version 4.2.0 [root@hpe-dl380pgen8-02-vm-7 ~]# uname -a Linux hpe-dl380pgen8-02-vm-7.hpe2.lab.eng.bos.redhat.com 4.18.0-422.el8.x86_64 #1 SMP Thu Aug 25 21:40:53 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux [root@hpe-dl380pgen8-02-vm-7 ~]# podman run -d --name exec-test -p 8578:80 quay.io/redhattraining/httpd-parent Trying to pull quay.io/redhattraining/httpd-parent:latest... Getting image source signatures Copying blob a3ed95caeb02 done Copying blob 6a5240d60dc4 done Copying blob 787f47dbeaac done Copying blob a3ed95caeb02 done Copying blob a3ed95caeb02 done Copying blob 08b8c9fdec44 done Copying blob a3ed95caeb02 skipped: already exists Copying blob a3ed95caeb02 skipped: already exists Copying blob 408208567b9a done Copying blob a3ed95caeb02 skipped: already exists Writing manifest to image destination Storing signatures dac442f725a1e1d58448b9906aeb8e74a832881ab1d9dff0706bd105c3b6f956 [root@hpe-dl380pgen8-02-vm-7 ~]# podman ps | grep exec-test dac442f725a1 quay.io/redhattraining/httpd-parent:latest /bin/sh -c /usr/s... 4 seconds ago Up 4 seconds ago 0.0.0.0:8578->80/tcp exec-test [root@hpe-dl380pgen8-02-vm-7 ~]# systemctl daemon-reload [root@hpe-dl380pgen8-02-vm-7 ~]# podman exec -it exec-test sh sh-4.4# ls bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var sh-4.4# exit exit [root@hpe-dl380pgen8-02-vm-7 ~]# echo $? 0 This bug also is verified for podman-4.0.2-5.module+el8.6.0+14672+b2f82327 w/ runc-1.1.3-3.module+el8.7.0+16483+b96ef47f on RHEL 8.6. [root@kvm-04-guest11 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.6 (Ootpa) [root@kvm-04-guest11 ~]# rpm -q podman runc systemd kernel podman-4.0.2-5.module+el8.6.0+14672+b2f82327.x86_64 runc-1.1.3-3.module+el8.7.0+16483+b96ef47f.x86_64 systemd-239-58.el8_6.7.x86_64 kernel-4.18.0-372.25.1.el8_6.x86_64 [root@kvm-04-guest11 ~]# podman run -d --name exec-test -p 8578:80 quay.io/redhattraining/httpd-parent Trying to pull quay.io/redhattraining/httpd-parent:latest... Getting image source signatures Copying blob a3ed95caeb02 done Copying blob a3ed95caeb02 skipped: already exists Copying blob a3ed95caeb02 done Copying blob a3ed95caeb02 done Copying blob a3ed95caeb02 skipped: already exists Copying blob a3ed95caeb02 skipped: already exists Copying blob 6a5240d60dc4 done Copying blob 787f47dbeaac done Copying blob 08b8c9fdec44 done Copying blob 408208567b9a done Writing manifest to image destination Storing signatures 43ad94114bcc4a9bb6493f9eedaeb6f590783d151358213abce26d4ab2b84ee3 [root@kvm-04-guest11 ~]# podman ps | grep exec-test 43ad94114bcc quay.io/redhattraining/httpd-parent:latest /bin/sh -c /usr/s... 38 seconds ago Up 38 seconds ago 0.0.0.0:8578->80/tcp exec-test [root@kvm-04-guest11 ~]# systemctl daemon-reload [root@kvm-04-guest11 ~]# podman exec -it exec-test sh sh-4.4# exit exit [root@kvm-04-guest11 ~]# echo $? 0 *** Bug 2124671 has been marked as a duplicate of this bug. *** *** Bug 2124699 has been marked as a duplicate of this bug. *** This bug has been verified for runc-1.1.3-3.module+el8.7.0+16483+b96ef47f and runc-1.1.4-1.module+el8.7.0+16772+33343656 on RHEL 8.7.0. 1. runc-1.1.3-3.module+el8.7.0+16483+b96ef47f [root@koza-4 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 (Ootpa) [root@koza-4 ~]# rpm -q podman runc systemd kernel podman-4.2.0-1.module+el8.7.0+16483+b96ef47f.x86_64 runc-1.1.3-3.module+el8.7.0+16483+b96ef47f.x86_64 systemd-239-68.el8.x86_64 kernel-4.18.0-425.3.1.el8.x86_64 [root@koza-4 ~]# podman run -d --name exec-test -p 8578:80 quay.io/redhattraining/httpd-parent Trying to pull quay.io/redhattraining/httpd-parent:latest... Getting image source signatures Copying blob a3ed95caeb02 done Copying blob a3ed95caeb02 done Copying blob a3ed95caeb02 done Copying blob 787f47dbeaac done Copying blob 6a5240d60dc4 done Copying blob 08b8c9fdec44 done Copying blob a3ed95caeb02 skipped: already exists Copying blob a3ed95caeb02 skipped: already exists Copying blob 408208567b9a done Copying blob a3ed95caeb02 skipped: already exists Writing manifest to image destination Storing signatures 6f077352b19ee1caadf2564383b95c9508a49365bb9d4339fe77d854e346c4ba [root@koza-4 ~]# podman ps | grep exec-test 6f077352b19e quay.io/redhattraining/httpd-parent:latest /bin/sh -c /usr/s... 3 seconds ago Up 3 seconds ago 0.0.0.0:8578->80/tcp exec-test [root@koza-4 ~]# systemctl daemon-reload [root@koza-4 ~]# podman exec -it exec-test sh sh-4.4# pwd / sh-4.4# exit exit 2. runc-1.1.4-1.module+el8.7.0+16772+33343656 [root@koza-4 ~]# rpm -q podman runc systemd kernel podman-4.2.0-1.module+el8.7.0+16772+33343656.x86_64 runc-1.1.4-1.module+el8.7.0+16772+33343656.x86_64 systemd-239-68.el8.x86_64 kernel-4.18.0-425.3.1.el8.x86_64 [root@koza-4 ~]# podman run -d --name exec-test -p 8578:80 quay.io/redhattraining/httpd-parent 6c27e70169a16510312727492005a7d13174ffb589adfe08ab11978b9241cec2 [root@koza-4 ~]# podman ps --filter name=exec-test CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6c27e70169a1 quay.io/redhattraining/httpd-parent:latest /bin/sh -c /usr/s... 29 seconds ago Up 30 seconds ago 0.0.0.0:8578->80/tcp exec-test [root@koza-4 ~]# systemctl daemon-reload [root@koza-4 ~]# podman exec -it exec-test sh sh-4.4# whoami root sh-4.4# exit exit [root@koza-4 ~]# echo $? 0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7457 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |