Description of problem: podman bind mounts from host filesystem are failing Version-Release number of selected component (if applicable): podman-0.4.1-1.gitb51d327.fc28.x86_64 (also tested 0.5.1 from koji, 0.5.2 from master) container-selinux-2.55-1.fc28.noarch How reproducible: Always Steps to Reproduce: 1./usr/bin/podman run -v /volumes/test/home:/home:z --name=david_tin --entrypoint /sbin/init fedora:28 2. 3. Actual results: container create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"process_linux.go:385: running prestart hook 1 caused \\\"error running hook: exit status 1, stdout: , stderr: \\\"\"" Expected results: container successfully running with bind mount Additional info: May 05 12:16:24 localhost.localdomain oci-systemd-hook[26363]: systemdhook <debug>: acb269681f2b: rootfs=/var/lib/containers/storage/overlay/2eb538c34dd0e18f0626870ba9f2b78113c6e16f6871512422c933ce7e16f49d/merged May 05 12:16:24 localhost.localdomain oci-systemd-hook[26363]: systemdhook <debug>: acb269681f2b: gidMappings not found in config May 05 12:16:24 localhost.localdomain oci-systemd-hook[26363]: systemdhook <debug>: acb269681f2b: GID: 0 May 05 12:16:24 localhost.localdomain oci-systemd-hook[26363]: systemdhook <debug>: acb269681f2b: uidMappings not found in config May 05 12:16:24 localhost.localdomain oci-systemd-hook[26363]: systemdhook <debug>: acb269681f2b: UID: 0 May 05 12:16:24 localhost.localdomain oci-systemd-hook[26363]: systemdhook <error>: acb269681f2b: Failed to move mount /tmp/ocitmp.gGtQXQ to /var/lib/containers/storage/overlay/2eb538c34dd0e18f0626870ba9f2b78113c6e16f6871512422c933ce7e16f49d/merged/run: Invalid argument May 05 12:16:24 localhost.localdomain oci-systemd-hook[26371]: systemdhook <error>: acb269681f2b: pid not found in state: Success May 05 12:16:24 localhost.localdomain conmon[26338]: conmon <error>: Failed to create container: exit status 1 May 05 12:16:24 localhost.localdomain audit: NETFILTER_CFG table=filter family=2 entries=178 May 05 12:16:24 localhost.localdomain audit: NETFILTER_CFG table=nat family=2 entries=119 May 05 12:16:24 localhost.localdomain audit: NETFILTER_CFG table=nat family=2 entries=121 No avc errors
oci-systemd-hook-0.1.15-1.git2d0b8a3.fc28.x86_64 oci-register-machine-0-6.1.git66fa845.fc28.x86_64 oci-umount-2.3.4-1.git87f9237.fc28.x86_64
Same issue with oci-systemd-hook-1:0.1.16-1.git05bd9a0.fc28.x86_64 from koji
oci-systemd-hook[8728]: systemdhook <error>: b512bbcd7aba: Failed to move mount /tmp/ocitmp.cR8CwC to /var/lib/containers/storage/overlay/6ab3df626ea9635786d8d5615d41f4c9124c349e42e37f558ecd7235d7bf8c3b/merged/run: Invalid argument
Even just simulating the change (moving a tmpfs mount to .../merged/run gives the error my_mount.c: #include <stdio.h> #include <error.h> #include <sys/mount.h> int main(int argc, char **argv) { if ((mount(argv[1], argv[2], "", MS_MOVE, "") == -1)) { fprintf(stderr, "Failed to move mount %s to %s", argv[1], argv[2]); perror("Error"); return -1; } } ./my_mount /tmp/ocitmp.D6swZ5 /var/lib/containers/storage/overlay/6ab3df626ea9635786d8d5615d41f4c9124c349e42e37f558ecd7235d7bf8c3b/merged/run Failed to move mount /tmp/ocitmp.D6swZ5 to /var/lib/containers/storage/overlay/6ab3df626ea9635786d8d5615d41f4c9124c349e42e37f558ecd7235d7bf8c3b/merged/runError: Invalid argument mount | grep oci tmpfs on /tmp/ocitmp.D6swZ5 type tmpfs (rw,nosuid,nodev,relatime,context="system_u:object_r:container_file_t:s0:c500,c974",size=65536k,mode=755) tmpfs on /tmp/ocitmp.D6swZ5/.containerenv type tmpfs (rw,nosuid,nodev,seclabel,mode=755) tmpfs on /tmp/ocitmp.D6swZ5/secrets type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
https://www.spinics.net/lists/util-linux-ng/msg12121.html
Related to /tmp being mounted shared - but this is an all Fedora setup so I wonder whether this was taken into consideration when putting ocitmp.XXXXX into /tmp # findmnt -o TARGET,PROPAGATION /tmp TARGET PROPAGATION /tmp shared # mount --make-private /tmp ./my_mount /tmp/ocitmp.D6swZ5 /volumes/test/run works!
Setting /tmp to `private` is only a temporary fix. The container can start/stop twice then it runs into issues where cgroups do not seem to be properly clean up. Upstream: https://github.com/projectatomic/libpod/issues/730
oci-systemd-hook-0.1.17-3.gitbd86a79.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-cce6f4f53d
oci-systemd-hook-0.1.17-3.gitbd86a79.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-cce6f4f53d
oci-systemd-hook-0.1.17-3.gitbd86a79.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.