1866833 – Podman 1.9.3 fails to run container when /etc/secuity/limits.conf is used

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1866833 - Podman 1.9.3 fails to run container when /etc/secuity/limits.conf is used

Summary: Podman 1.9.3 fails to run container when /etc/secuity/limits.conf is used

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	podman
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Jindrich Novy
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1186913 1804543
TreeView+	depends on / blocked

Reported:	2020-08-06 14:10 UTC by Anthony Hogbin
Modified:	2023-12-15 18:45 UTC (History)
CC List:	10 users (show)
Fixed In Version:	podman-2.0.4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 03:06:49 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4694	0	None	None	None	2020-11-04 03:07:47 UTC

Description Anthony Hogbin 2020-08-06 14:10:03 UTC

Description of problem:
=======================
When /etc/security/rlimits.conf are set, podman will not run containers as a user / rootless. It will continue to run containers as the root user. This problem has been noted upgrading to the current release.


Version-Release number of selected component (if applicable):
=============================================================
Name : podman
Version : 1.9.3
Release : 2.module+el8.2.1+6867+366c07d6
Architecture : x86_64
Size : 60 M
Source : podman-1.9.3-2.module+el8.2.1+6867+366c07d6.src.rpm
Repository : @System
From repo : rhel-8-for-x86_64-appstream-rpms


How reproducible:
=================
100%


Steps to Reproduce:
===================
1. Add configuration to /etc/security/limits.conf - for example:
* hard maxlogins 10
* hard core 0
* hard nofile 65536
* soft nofile 32768
* hard nproc 16384
* soft nproc 8192

2. As a non root user, now attempt to run a container.

3. Failure to run container with errors.


Actual results:
===============

[joeqpublic@rhel8-2 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Trying to pull registry.access.redhat.com/ubi8/ubi...
Getting image source signatures
Copying blob 47db82df7f3f done  
Copying blob 77c58f19bd6e done  
Copying config a1f8c96997 done  
Writing manifest to image destination
Storing signatures
Error: container_linux.go:349: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:378: setting rlimits for ready process caused \\\"error setting rlimit type 6: invalid argument\\\"\"": OCI runtime error


Expected results:
=================

[joeqpublic@rhel8-2 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
[root@28c1c2edb3ee /]# 


Additional info:
================
This github issue seems to match https://github.com/containers/podman/issues/6389

$ cat /etc/security/limits.conf | egrep '^\*'
* hard maxlogins 10
* hard core 0
* hard nofile 65536
* soft nofile 32768
* hard nproc 16384
* soft nproc 8192

Fix appears to be

# cp /usr/share/containers/containers.conf /etc/containers.conf

and apply following changes

default_ulimits = [
  "nofile=32769:65536",
  "nproc=8192:16384",
]

podman system migrate

the above podman run command will now work

Comment 2 Tom Sweeney 2020-08-06 20:56:31 UTC

Giuseppe, can you look at this please?

Comment 3 Daniel Walsh 2020-08-07 10:54:20 UTC

Are they having this on newly created containers?

Comment 4 Anthony Hogbin 2020-08-07 13:08:21 UTC

Daniel - I have tested with new - and the issue presents. Yes.

This is not specific to their repo or images.

Using the steps above it can be recreated.

Returning things to as they were and rootless works fine again.

Comment 5 Daniel Walsh 2020-08-07 14:45:25 UTC

Could you look at Fedora and do the same thing, and see if it works in the current release?

Comment 6 Anthony Hogbin 2020-08-14 13:59:05 UTC

@Daniel as requested Fedora 32 Server created, and same procedure to recreate.

There is no issue as shown below:

[ahogbin@fedora32 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Trying to pull registry.access.redhat.com/ubi8/ubi...
Getting image source signatures
Copying blob 77c58f19bd6e done  
Copying blob 47db82df7f3f done  
Copying config a1f8c96997 done  
Writing manifest to image destination
Storing signatures

[root@713a6824b04b /]# exit

Yum search shows the following podman installed:

Name         : podman
Epoch        : 2
Version      : 2.0.4
Release      : 1.fc32
Architecture : x86_64
Size         : 50 M
Source       : podman-2.0.4-1.fc32.src.rpm

Comment 7 Daniel Walsh 2020-08-17 14:47:39 UTC

This will be fixed in RHEL8.3
podman 2.0.4 or newer.

Comment 8 Tom Sweeney 2020-08-17 19:08:01 UTC

Assigning to Jindrich for any further packaging needs.  Jindrich please also change the status of the BZ if necessary.

Comment 12 Alex Jia 2020-08-25 16:51:38 UTC

I can reproduce this bug on podman-1.9.3-2.module+el8.2.1+6867+366c07d6.x86_64,
and verified it on podman-2.0.2-2.module+el8.3.0+7374+9d949f97.x86_64
and podman-2.0.4-3.module+el8.3.0+7716+ce654703.x86_64.


[ajia@hpe-dl380pgen8-02-vm-15 ~]$ rpm -q podman
podman-1.9.3-2.module+el8.2.1+6867+366c07d6.x86_64
[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman unshare cat /proc/self/uid_map
         0       1001          1
         1     165536      65536
[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Error: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: process_linux.go:382: setting rlimits for ready process caused: error setting rlimit type 6: invalid argument: OCI runtime error


[ajia@hpe-dl380pgen8-02-vm-15 ~]$ rpm -q podman podman-catatonit
podman-2.0.2-2.module+el8.3.0+7374+9d949f97.x86_64
podman-catatonit-2.0.2-2.module+el8.3.0+7374+9d949f97.x86_64
[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman unshare cat /proc/self/uid_map
         0       1001          1
         1     165536      65536
[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Trying to pull registry.access.redhat.com/ubi8/ubi...
Getting image source signatures
Copying blob 77c58f19bd6e done
Copying blob 47db82df7f3f done
Copying config a1f8c96997 done
Writing manifest to image destination
Storing signatures
[root@e1197ca55998 /]#


[ajia@hpe-dl380pgen8-02-vm-15 ~]$ rpm -q podman podman-catatonit
podman-2.0.4-3.module+el8.3.0+7716+ce654703.x86_64
podman-catatonit-2.0.4-3.module+el8.3.0+7716+ce654703.x86_64

[ajia@hpe-dl380pgen8-02-vm-15 ~]$ podman run -it registry.access.redhat.com/ubi8/ubi bash
Trying to pull registry.access.redhat.com/ubi8/ubi...
Getting image source signatures
Copying blob 47db82df7f3f done
Copying blob 77c58f19bd6e done
Copying config a1f8c96997 done
Writing manifest to image destination
Storing signatures
[root@a8e39c253e80 /]#

Comment 15 errata-xmlrpc 2020-11-04 03:06:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4694

Note You need to log in before you can comment on or make changes to this bug.