1401944 – docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro fails with --userns-remap set

Bug 1401944 - docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro fails with --userns-remap set

Summary: docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro fails with --userns-remap set

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	podman
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-06 12:39 UTC by Jan Pazdziora
Modified:	2020-09-15 14:38 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-15 14:38:38 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pazdziora 2016-12-06 12:39:09 UTC

Description of problem:

In an attempt to harden my docker installation, I've set

  OPTIONS='--icc=false --log-driver=journald --userns-remap=default'

appending the --userns-remap option (and removing --selinux-enabled to workaround bug 1401537). After restarting the daemon, I can no longer start systemd in the container, presumably due to some oci-systemd-hook interaction.

Version-Release number of selected component (if applicable):

docker-1.12.3-10.git7b5044b.fc25.x86_64
oci-systemd-hook-0.1.4-3.git41491a3.fc25.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Set /etc/sysconfig/docker option OPTIONS to

OPTIONS='--icc=false --log-driver=journald --userns-remap=default'

2. systemctl restart docker
3. docker run --rm -ti -e container=docker fedora:rawhide /usr/sbin/init

Actual results:

# docker run --rm -ti -e container=docker fedora:rawhide /usr/sbin/init
/usr/bin/docker-current: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:334: running prestart hook 2 caused \\\"error running hook: exit status 1, stdout: , stderr: \\\"\"\n".

Journal contains

Dec 06 07:36:30 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:30.169832498-05:00" level=info msg="{Action=create, Username=root, LoginUID=0, PID=16709}"
Dec 06 07:36:30 machine.example.test audit[12706]: VIRT_CONTROL pid=12706 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='user=root auid=0 exe=? hostname=? reason=api op=create vm=? vm-pid=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Mounting V5 Filesystem
Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Ending clean mount
Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Unmounting Filesystem
Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Mounting V5 Filesystem
Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Ending clean mount
Dec 06 07:36:30 machine.example.test kernel: XFS (dm-3): Unmounting Filesystem
Dec 06 07:36:31 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:31.244283614-05:00" level=info msg="{Action=attach, Username=root, LoginUID=0, PID=16709}"
Dec 06 07:36:31 machine.example.test audit[12706]: VIRT_CONTROL pid=12706 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=attach vm=? vm-pid=? user=root auid=0 exe=? hostname=? reason=api  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Dec 06 07:36:31 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:31.245330515-05:00" level=info msg="{Action=start, Username=root, LoginUID=0, PID=16709}"
Dec 06 07:36:31 machine.example.test audit[12706]: VIRT_CONTROL pid=12706 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='op=start vm=? vm-pid=? user=root auid=0 exe=? hostname=? reason=api  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'
Dec 06 07:36:31 machine.example.test kernel: XFS (dm-3): Mounting V5 Filesystem
Dec 06 07:36:31 machine.example.test kernel: XFS (dm-3): Ending clean mount
Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered blocking state
Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered disabled state
Dec 06 07:36:31 machine.example.test kernel: device veth27a7289 entered promiscuous mode
Dec 06 07:36:31 machine.example.test audit: ANOM_PROMISCUOUS dev=veth27a7289 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
Dec 06 07:36:31 machine.example.test kernel: IPv6: ADDRCONF(NETDEV_UP): veth27a7289: link is not ready
Dec 06 07:36:31 machine.example.test systemd-udevd[16775]: Could not generate persistent MAC address for veth27a7289: No such file or directory
Dec 06 07:36:31 machine.example.test systemd-udevd[16774]: Could not generate persistent MAC address for vethff5ae4d: No such file or directory
Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info>  [1481027791.3205] manager: (vethff5ae4d): new Veth device (/org/freedesktop/NetworkManager/Devices/163)
Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info>  [1481027791.3219] manager: (veth27a7289): new Veth device (/org/freedesktop/NetworkManager/Devices/164)
Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16787-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing.
Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16787-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing.
Dec 06 07:36:31 machine.example.test systemd[1]: Started docker container f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.
Dec 06 07:36:31 machine.example.test kernel: eth0: renamed from vethff5ae4d
Dec 06 07:36:31 machine.example.test kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth27a7289: link becomes ready
Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered blocking state
Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered forwarding state
Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info>  [1481027791.5905] device (vethff5ae4d): driver 'veth' does not support carrier detection.
Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info>  [1481027791.5909] device (veth27a7289): link connected
Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info>  [1481027791.5910] device (docker0): link connected
Dec 06 07:36:31 machine.example.test oci-register-machine[16820]: 2016/12/06 07:36:31 Register machine: prestart f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865 16796 /var/lib/docker/886432.886432/devicemapper/mnt/03c0f793add27876e6d88ef098dd47c03cbe93dd65281bbbab1e081f6cf2b388/rootfs
Dec 06 07:36:31 machine.example.test systemd-machined[3810]: New machine f6025e740db57b0219f509c24f973867.
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: Mount Label parsed as:
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 11:cpuset:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :cpuset:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 10:hugetlb:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :hugetlb:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 9:freezer:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :freezer:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 8:blkio:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :blkio:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 7:pids:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :pids:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: 6:memory:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: :memory:/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: Found
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: PATH: /system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: SUBSYSTEM_PATH: /sys/fs/cgroup/memory/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: memory path: /sys/fs/cgroup/memory/system.slice/docker-f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.scope/memory.limit_in_bytes
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: LIMIT: 9223372036854771712
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <debug>: Limit in bytes: 9223372036854771712
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16825]: systemdhook <error>: Failed to mount /sys/fs/cgroup on /var/lib/docker/886432.886432/devicemapper/mnt/03c0f793add27876e6d88ef098dd47c03cbe93dd65281bbbab1e081f6cf2b388/rootfs/sys/fs/cgroup: Invalid argument
Dec 06 07:36:31 machine.example.test systemd[1]: Stopped docker container f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865.
Dec 06 07:36:31 machine.example.test oci-register-machine[16827]: 2016/12/06 07:36:31 Register machine: poststop f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865 0 /var/lib/docker/886432.886432/devicemapper/mnt/03c0f793add27876e6d88ef098dd47c03cbe93dd65281bbbab1e081f6cf2b388/rootfs
Dec 06 07:36:31 machine.example.test systemd-machined[3810]: Machine f6025e740db57b0219f509c24f973867 terminated.
Dec 06 07:36:31 machine.example.test oci-systemd-hook[16832]: systemdhook <debug>: Mount Label parsed as:
Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16833-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing.
Dec 06 07:36:31 machine.example.test docker-containerd-current[2142]: time="2016-12-06T07:36:31.693478361-05:00" level=error msg="containerd: start container" error="oci runtime error: container_linux.go:247: starting container process caused \"process_linux.go:334: running prestart hook 2 caused \\\"error running hook: exit status 1, stdout: , stderr: \\\"\"\n" id=f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865
Dec 06 07:36:31 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:31.710223766-05:00" level=error msg="Create container failed with error: invalid header field value \"oci runtime error: container_linux.go:247: starting container process caused \\\"process_linux.go:334: running prestart hook 2 caused \\\\\\\"error running hook: exit status 1, stdout: , stderr: \\\\\\\"\\\"\\n\""
Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16833-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing.
Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16839-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing.
Dec 06 07:36:31 machine.example.test systemd[1]: libcontainer-16839-systemd-test-default-dependencies.scope: Scope has no PIDs. Refusing.
Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered disabled state
Dec 06 07:36:31 machine.example.test kernel: vethff5ae4d: renamed from eth0
Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info>  [1481027791.8120] manager: (vethff5ae4d): new Veth device (/org/freedesktop/NetworkManager/Devices/165)
Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered disabled state
Dec 06 07:36:31 machine.example.test kernel: device veth27a7289 left promiscuous mode
Dec 06 07:36:31 machine.example.test kernel: docker0: port 1(veth27a7289) entered disabled state
Dec 06 07:36:31 machine.example.test audit: ANOM_PROMISCUOUS dev=veth27a7289 prom=0 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295
Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info>  [1481027791.8759] device (vethff5ae4d): driver 'veth' does not support carrier detection.
Dec 06 07:36:31 machine.example.test NetworkManager[687]: <info>  [1481027791.8762] device (veth27a7289): driver 'veth' does not support carrier detection.
Dec 06 07:36:32 machine.example.test kernel: XFS (dm-3): Unmounting Filesystem
Dec 06 07:36:32 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:32.267923608-05:00" level=error msg="Handler for POST /v1.24/containers/f6025e740db57b0219f509c24f9738675eb5a951005715052d97d5cd9fb87865/start returned error: invalid header field value \"oci runtime error: container_linux.go:247: starting container process caused \\\"process_linux.go:334: running prestart hook 2 caused \\\\\\\"error running hook: exit status 1, stdout: , stderr: \\\\\\\"\\\"\\n\""
Dec 06 07:36:32 machine.example.test dockerd-current[12706]: time="2016-12-06T07:36:32.269196761-05:00" level=info msg="{Action=remove, Username=root, LoginUID=0, PID=16709}"
Dec 06 07:36:32 machine.example.test audit[12706]: VIRT_CONTROL pid=12706 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:container_runtime_t:s0 msg='hostname=? reason=api op=remove vm=? vm-pid=? user=root auid=0 exe=?  exe="/usr/bin/dockerd-current" hostname=? addr=? terminal=? res=success'

Expected results:

No error.

Additional info:

For the oci-systemd-hook logic to kick in, any command with basename equal to init will work as reproducer:

docker run --rm -ti -e container=docker fedora:rawhide /anything/init

Filing against docker first because it might not be something oci-systemd-hook is able to fix per se.

Comment 1 Daniel Walsh 2016-12-06 13:12:02 UTC

If you remove the OCI-systemd-hook can you get it to work mounting the devices on the Commandline

--tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup ...

I think the mount command inside of oci-systemd-hook for the cgroups is failing.

Comment 2 Jan Pazdziora 2016-12-06 13:38:56 UTC

Right, manually mounting is what I tried to do but I hit bug 1401537 comment 13.

Comment 3 Jan Pazdziora 2016-12-06 14:10:47 UTC

While

$ docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -ti fedora:24 bash

fails,

$ docker run -v /sys/fs/cgroup:/sys/fs/cgroup --rm -ti fedora:24 bash

without the :ro passes. So I tried removing /usr/libexec/oci/hooks.d/oci-systemd-hook and I run

$ docker run --rm -ti -e container=docker -v /sys/fs/cgroup:/sys/fs/cgroup --tmpfs /run --tmpfs /tmp fedora:24 /usr/sbin/init

and I get

systemd 229 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization docker.
Detected architecture x86-64.
Running with unpopulated /etc.

Welcome to Fedora 24 (Twenty Four)!

Set hostname to <650c8735a344>.
Initializing machine ID from random generator.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to populate /etc with preset unit settings, ignoring: No such file or directory
Failed to create /system.slice/docker-650c8735a34469088aa207dab473783f53d7eeb879485c548119bd8091851d52.scope/init.scope control group: Permission denied
Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object, freezing.
Freezing execution.
Error response from daemon: No such container: 650c8735a34469088aa207dab473783f53d7eeb879485c548119bd8091851d52
Error response from daemon: devmapper: Unknown device e861345cb11388039769492dde3218b1a709c87ec503974c5fba1634116c42e6

Comment 4 Daniel Walsh 2016-12-06 16:32:30 UTC

I think we need to keep these bugzillas separate.

Lets handle mounting of /sys/fs/cgroup:/sys/fs/cgroup:ro inside of a user namespace here.

The systemd one needs to be handled separately.

Comment 5 Jan Pazdziora 2016-12-07 07:11:18 UTC

Alright. So the steps to reproduce would be:

With --userns-remap set for the docker daemon

$ docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -ti fedora:24 bash

fails, while

$ docker run -v /sys/fs/cgroup:/sys/fs/cgroup --rm -ti fedora:24 bash

without the :ro passes.

Comment 6 Jan Pazdziora 2016-12-07 07:19:28 UTC

I now spun off the systemd issue with /sys/fs/cgroup mounted without that :ro to bug 1402264.

Comment 7 Daniel Walsh 2016-12-15 18:09:40 UTC

https://github.com/opencontainers/runc/issues/1229

Comment 9 Fedora End Of Life 2017-11-16 19:39:34 UTC

This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 10 Jan Pazdziora 2017-12-07 11:23:02 UTC

This issue as clarified in comment 6 still fails on Fedora 26 with

docker-1.13.1-40.git877b6df.fc26.x86_64
selinux-policy-3.13.1-260.14.fc26.noarch
container-selinux-2.28-1.fc26.noarch
oci-systemd-hook-0.1.13-1.gitafe4b4a.fc26.x86_64

with the

  -v /sys/fs/cgroup:/sys/fs/cgroup:ro

and with

  OPTIONS='--selinux-enabled --log-driver=journald --userns-remap=default'

and

  setsebool -P container_manage_cgroup 1

Comment 11 Fedora End Of Life 2018-05-03 08:00:00 UTC

This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 12 Jan Pazdziora 2018-05-10 08:30:55 UTC

With

docker-1.13.1-44.git584d391.fc26.x86_64
selinux-policy-3.13.1-260.20.fc26.noarch
container-selinux-2.40-1.fc26.noarch
oci-systemd-hook-0.1.15-1.git2d0b8a3.fc26.x86_64

running just

   docker run --rm fedora:26 /usr/sbin/init

passes, with docker configured as

   OPTIONS='--selinux-enabled --log-driver=journald --userns-remap=default'

and with

   setsebool -P container_manage_cgroup 1

On the other hand,

   docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -ti fedora:26 bash

with the :ro still fails with

   /usr/bin/docker-current: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:364: container init caused \"rootfs_linux.go:54: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/var/lib/docker/165536.165536/devicemapper/mnt/7d24eeecce023fd6c7c7c53e28a2e77431c37a814e10ca8d0725eec01dc995cf/rootfs\\\" at \\\"/var/lib/docker/165536.165536/devicemapper/mnt/7d24eeecce023fd6c7c7c53e28a2e77431c37a814e10ca8d0725eec01dc995cf/rootfs/sys/fs/cgroup\\\" caused \\\"operation not permitted\\\"\"".

while

   docker run -v /sys/fs/cgroup:/sys/fs/cgroup --rm -ti fedora:26 bash

passes.

On Fedora 27 with

docker-1.13.1-51.git4032bd5.fc27.x86_64
selinux-policy-3.13.1-283.34.fc27.noarch
container-selinux-2.55-1.fc27.noarch
oci-systemd-hook-0.1.15-1.git2d0b8a3.fc27.x86_64

the results are the same, so moving the version to 27.

Comment 13 Jan Pazdziora 2018-05-10 08:35:24 UTC

Since https://github.com/opencontainers/runc/issues/1229 mentions the

   docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -ti fedora:26 bash

failure might be a kernel issue, also noting that on Fedora 27 the kernel is

kernel-4.16.6-202.fc27.x86_64

and on Fedora 28 where it fails as well, the version is

kernel-4.16.7-300.fc28.x86_64.

Comment 14 Ben Cotton 2018-11-27 15:46:28 UTC

This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30  Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora  'version' of '27'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 27 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 15 Daniel Walsh 2018-11-27 16:14:40 UTC

Jan is this still and issue in F29?

Comment 16 Jan Pazdziora 2018-12-13 13:08:24 UTC

Yes:

docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro --rm -i fedora:29 id
container_linux.go:247: starting container process caused "process_linux.go:364: container init caused \"rootfs_linux.go:54: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/var/lib/docker/808080.808080/overlay2/7f4c1245c4b69fc347bbee00f6a99975c8d58e808c0fe4dc3d9510d485064d65/merged\\\" at \\\"/var/lib/docker/808080.808080/overlay2/7f4c1245c4b69fc347bbee00f6a99975c8d58e808c0fe4dc3d9510d485064d65/merged/sys/fs/cgroup\\\" caused \\\"operation not permitted\\\"\""
/usr/bin/docker-current: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:364: container init caused \"rootfs_linux.go:54: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/var/lib/docker/808080.808080/overlay2/7f4c1245c4b69fc347bbee00f6a99975c8d58e808c0fe4dc3d9510d485064d65/merged\\\" at \\\"/var/lib/docker/808080.808080/overlay2/7f4c1245c4b69fc347bbee00f6a99975c8d58e808c0fe4dc3d9510d485064d65/merged/sys/fs/cgroup\\\" caused \\\"operation not

Comment 18 Ben Cotton 2019-10-31 20:19:20 UTC

This message is a reminder that Fedora 29 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '29'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 29 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 19 Jan Pazdziora 2019-11-01 11:49:21 UTC

The issue still seems present on Fedora 30.

Comment 21 Daniel Walsh 2019-11-01 12:11:56 UTC

I think we should be concentrating on cgroup V2 here perhaps on Fedora 31.

Comment 22 Daniel Walsh 2019-11-01 12:12:47 UTC

We are never going to fix this on Docker, so switched to Podman.

Comment 23 Jan Pazdziora 2019-11-01 12:42:26 UTC

Feel free to close this bugzilla as WONTFIX for docker.

For podman, I'm not sure what the equivalent of adding -userns-remap=default to OPTIONS in /etc/sysconfig/docker would be. With podman-1.6.2-2.fc30.x86_64 I've tried

podman run -v /sys/fs/cgroup:/sys/fs/cgroup --rm -i --subuidname=dockremap --subgidname=dockremap registry.fedoraproject.org/fedora:30 id

but I get

Error: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/sys/fs/cgroup\\\" to rootfs \\\"/var/lib/containers/storage/overlay/0864d3e223ad7849fd38a076e2c7960db0fdaf3d365cf305cd3c65f524d79cfc/merged\\\" at \\\"/var/lib/containers/storage/overlay/0864d3e223ad7849fd38a076e2c7960db0fdaf3d365cf305cd3c65f524d79cfc/merged/sys/fs/cgroup\\\" caused \\\"operation not permitted\\\"\"": OCI runtime permission denied error

Comment 24 Jan Pazdziora 2019-11-01 12:49:33 UTC

OTOH,

podman run --systemd=always --rm -i --subuidname=dockremap --subgidname=dockremap registry.fedoraproject.org/fedora:30 sleep 60

runs fine.

Comment 26 Daniel Walsh 2019-11-01 14:12:47 UTC

Volume mounting in /sys/fs/cgroup would not be writable from a user namespace,  Perhaps since we are mounting the cgroup from inside of podman, it gets different permissions.

Comment 27 Daniel Walsh 2020-09-11 20:06:03 UTC

Is this still an issue, we are not working on it.

Comment 28 Jan Pazdziora 2020-09-12 14:55:28 UTC

Things look good with podman-2.0.6-1.fc32.x86_64.

Note You need to log in before you can comment on or make changes to this bug.