Description of problem: podman cannot start an exited container if oci-register-machine is enabled Version-Release number of selected component (if applicable): podman-0.4.1-1.gitb51d327.fc28.x86_64 How reproducible: Always Steps to Reproduce: 0. cat /etc/oci-register-machine.conf # Disable oci-register-machine by setting the disabled field to true disabled : false 1. podman run --detach --name alice_gold --entrypoint /sbin/init fedora:28 2. podman stop alice_gold 3. podman start alice_gold Actual results: unable to start container "e8686e0e54f1": container create failed: container_linux.go:348: st arting container process caused "process_linux.go:402: container init caused \"process_linux. go:385: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stder r: \\\"\"" : internal libpod error Expected results: container starts successfully Additional info: Set disable: true and it works ausearch -m avc --start recent ---- time->Fri May 4 22:49:10 2018 type=AVC msg=audit(1525445350.985:629): avc: denied { syslog_read } for pid=8930 comm="dmesg" scontext=system_u:system_r:container_t:s0:c282,c976 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 ---- time->Fri May 4 22:49:10 2018 type=AVC msg=audit(1525445350.985:630): avc: denied { syslog_read } for pid=8930 comm="dmesg" scontext=system_u:system_r:container_t:s0:c282,c976 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 # audit2allow -al #============= container_t ============== allow container_t kernel_t:system syslog_read; #============= systemd_machined_t ============== allow systemd_machined_t systemd_unit_file_t:service stop;
Any information in the journal?
Enable register machine - encountered a different problem. Some podman actions kill the whole desktop session 1. Run container: podman run --name alice_gold --entrypoint /sbin/init fedora:28 2. Stop gracefully: podman stop alice_gold 3. Now start again podman start alice_gold or even podman rm alice_gold Wow - this can actually kill the whole Wayland desktop; in fact some random podman actions like podman rm kill the whole session. It's like something is confused between the real desktop user session and the podman session. This killed Wayland and sent me back to gdm. In a root console session, this can happen to and dump me back to the login prompt. These session deaths don't happen if register machine is off May 05 10:48:59 localhost.localdomain oci-register-machine[11004]: 2018/05/05 10:48:59 Register machine: poststop 330018251ce5deafe9480f2d17885a4636c> May 05 10:48:59 localhost.localdomain systemd[1]: Stopping User Manager for UID 1050... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - GNOME Online Accounts monitor... May 05 10:48:59 localhost.localdomain systemd[3258]: dbus.service: Failed to kill control group /user.slice/user-1050.slice/user/dbus.se> May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping D-Bus User Message Bus... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - digital camera monitor... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Tracker metadata database store and lookup manager... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped target Default. May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Evolution address book service... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem metadata service... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping sandboxed app permission store... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Sound Service... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - Media Transfer Protocol monitor... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Evolution source registry... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - Apple File Conduit monitor... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - disk device monitor... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Accessibility services bus... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Evolution calendar service... May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped Virtual filesystem metadata service. May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped Virtual filesystem service - GNOME Online Accounts monitor. May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped Virtual filesystem service - Media Transfer Protocol monitor. May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped sandboxed app permission store. May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped Virtual filesystem service - digital camera monitor. May 05 10:48:59 localhost.localdomain gnome-session[3287]: gnome-session-binary[3287]: WARNING: Lost name on bus: org.gnome.SessionManager May 05 10:48:59 localhost.localdomain gnome-session-binary[3287]: WARNING: Lost name on bus: org.gnome.SessionManager
oci-register-machine disable: false seems to be badly broken :(
Yes I saw the same thing. A couple of problems I am seeing. The failure of the runing of oci-register-machine the second time is caused because for some reason, when you do a podman stop, it looks like runc is not calling the poststop branch of oci-register-machine to remove the enter in machinectl. Then when you run podman start, oci-register-machine tries to register the container a second time, and fails to realize it is already registered. If you then run the machine in permissive mode after the failure, runc does call the post install script. This reveals a second problem in oci-register-machine's running, it is not running inside the containers cgroup, it is running in the users cgroup, and systemd tries to kill all processes in the users cgroup when it calls poststop. For now we need to keep oci-register-machine disabled when running podman. This is pretty broken, and oci-register-machine does not add much value at this time.
podman-0.6.4-1.gitd5beb2f.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5142d70592
podman-0.6.4-1.gitd5beb2f.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2b96ea9fec
podman-0.6.4-1.gitd5beb2f.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5142d70592
podman-0.6.4-1.gitd5beb2f.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2b96ea9fec
podman-0.6.4-1.gitd5beb2f.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
podman-0.6.4-1.gitd5beb2f.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.