RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1880987 - ubi8-init rootless fails on RHEL 8.2 with 'No such file or directory' and 'Permission denied'
Summary: ubi8-init rootless fails on RHEL 8.2 with 'No such file or directory' and 'Pe...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: podman
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: Giuseppe Scrivano
QA Contact: Yuhui Jiang
URL:
Whiteboard:
Depends On:
Blocks: 1186913 1823908
TreeView+ depends on / blocked
 
Reported: 2020-09-21 10:58 UTC by Anthony Hogbin
Modified: 2024-06-13 23:06 UTC (History)
19 users (show)

Fixed In Version: podman-2.1.1 and newer
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-16 14:21:45 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github containers podman issues 7441 0 None closed rootless: can't run systemd in a container: Failed to create control group 2021-02-16 09:16:31 UTC
Github containers podman pull 7455 0 None closed abi: trim init command 2021-02-16 09:16:32 UTC

Description Anthony Hogbin 2020-09-21 10:58:54 UTC 
Description of problem:
======================
- Unable to run ubi8-init as a rootless container;
- The same image works fine as root.

Version-Release number of selected component (if applicable):
==========================================================
- RHEL 8.2.

How reproducible:
=================
- 100% / every time.

Steps to Reproduce:
====================
- Attempt to install as root, and then as rootless.

Actual results:
==============
~~~
[user@rhel8-2 ~]$ podman unshare podman run -it --rm --systemd=true --privileged registry.redhat.io/ubi8-init /sbin/init --log-target=console --log-level=debug
Trying to pull registry.redhat.io/ubi8-init...
Getting image source signatures
Copying blob 8a58a033071f done  
Copying blob c4d668e229cd done  
Copying blob ec1681b6a383 done  
Copying config 33c0991371 done  
Writing manifest to image destination
Storing signatures
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux 8.2 (Ootpa)!

Set hostname to <792e7dcd3066>.
Initializing machine ID from random generator.
Failed to add address 127.0.0.1 to loopback interface: File exists
Failed to add address ::1 to loopback interface: File exists
Successfully brought loopback interface up
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Found cgroup on /sys/fs/cgroup/systemd, legacy hierarchy
Using cgroup controller name=systemd. File system hierarchy is at /sys/fs/cgroup/systemd/user.slice/user-0.slice/session-1.scope.
Release agent already installed.
Failed to create /user.slice/user-0.slice/session-1.scope/init.scope control group: Permission denied
Failed to allocate manager object: Permission denied
Failed to read pids.max attribute of cgroup root, ignoring: No such file or directory
[!!!!!!] Failed to allocate manager object, freezing.
Freezing execution.
~~~

Expected results:
================
~~~
[user@rhel8-2 ~]# podman run -it --rm --systemd=true --privileged registry.redhat.io/ubi8-init /sbin/init --log-target=console --log-level=debug
systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux 8.2 (Ootpa)!

Set hostname to <54b6c2b00fe5>.
Initializing machine ID from random generator.
Failed to add address 127.0.0.1 to loopback interface: File exists
Failed to add address ::1 to loopback interface: File exists
Successfully brought loopback interface up
Found cgroup on /sys/fs/cgroup/systemd, legacy hierarchy
Using cgroup controller name=systemd. File system hierarchy is at /sys/fs/cgroup/systemd/machine.slice/libpod-54b6c2b00fe55914bcfa5ec60f164a05958e25d9def4d76a0f7735b129c75259.scope.
Release agent already installed.
Controller 'cpu' supported: yes
Controller 'cpuacct' supported: yes
Controller 'cpuset' supported: no
Controller 'io' supported: no
Controller 'blkio' supported: yes
Controller 'memory' supported: yes
Controller 'devices' supported: yes
Controller 'pids' supported: yes
Set up TFD_TIMER_CANCEL_ON_SET timerfd.
Enabling showing of status.
Successfully forked off '(sd-executor)' as PID 6.
Successfully forked off '(direxec)' as PID 7.
Successfully forked off '(direxec)' as PID 8.
Successfully forked off '(direxec)' as PID 9.
Successfully forked off '(direxec)' as PID 10.
Successfully forked off '(direxec)' as PID 11.
Successfully forked off '(direxec)' as PID 12.
Successfully forked off '(direxec)' as PID 13.
/usr/lib/systemd/system-generators/systemd-debug-generator succeeded.
/usr/lib/systemd/system-generators/systemd-system-update-generator succeeded.
/usr/lib/systemd/system-generators/systemd-sysv-generator succeeded.
/usr/lib/systemd/system-generators/systemd-veritysetup-generator succeeded.
/usr/lib/systemd/system-generators/systemd-rc-local-generator succeeded.
/usr/lib/systemd/system-generators/systemd-getty-generator succeeded.
/usr/lib/systemd/system-generators/systemd-fstab-generator succeeded.
(sd-executor) succeeded.
Looking for unit files in (higher priority first):
	/etc/systemd/system.control
	/run/systemd/system.control
	/run/systemd/transient
	/etc/systemd/system
	/run/systemd/system
	/run/systemd/generator
	/usr/lib/systemd/system
Unit type .swap is not supported on this system.
[ AND CONTINUES ON AS EXPECTED ]
~~~

Additional info:
===============
- The expected outcome above is from running the same as root.
Comment 2 Simon Woolsgrove 2020-09-23 11:22:17 UTC 
Ok looking further into the issue we found this is being caused when we run terminals from an GNOME session e.g. Red Hat Desktop.  We are using Citrix VDA to present the desktop, when this starts were seeing

 env | grep DBUS
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-UwcnNDsyZi,guid=c0def62bf1bd98bfac07cb1a5f234

If we set DBUS SESSION o what u would get with an ssh session e.g. 

env | grep DBUS
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1234567/bus

The container starts systemd/init in rootless mode fine without issue on the identical system.  We looking into what is causing us to get this session.
Comment 4 Scott McCarty 2020-09-28 14:25:31 UTC 
Did you try the following command as root to enable init to be run? 

# setsebool -P container_manage_cgroup 1

Full instructions here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index#starting_services_within_a_container_using_systemd
Comment 6 Scott McCarty 2020-10-26 17:47:28 UTC 
Bump on if we've tried setting Selinux bools?
Comment 7 Devon 2020-11-16 17:16:03 UTC 
Hello Scott,

I have a few cases with this issue currently and setting the selinux bools does not seem to help here.

I have also reproduced the behavior and can confirm that behavior. Let me know if anyone needs access to the machine or if you have any questions about this.

Thanks
Comment 8 Simon Woolsgrove 2020-12-03 11:44:19 UTC 
So with RHEL 8.3 we get podman-2.0.5-5.module+el8.3.0+8221+97165c3f.x86_64 trying init containers rootless fails even insuring we have the selinux boolean in place and DBUS does not use an abstract socket.  


This seems we have now hit https://github.com/containers/podman/issues/6734 

Running the workaround 

systemd-run --user --scope podman run -it --rm ubi8-init /sbin/init

Does indeed work but setting this as an alias or getting to work fully with tools like molecule seems to break other things.
Comment 9 Derrick Ornelas 2020-12-03 14:53:58 UTC 
Is it more likely that this is something that needs to be changed in podman instead of something that needs to be changed in the container image?
Comment 11 Tom Sweeney 2021-01-05 23:03:44 UTC 
Giuseppe, could you take a look at this please as you put together the PR that Derrick mentions in: https://bugzilla.redhat.com/show_bug.cgi?id=1880987#c10
Comment 12 Jindrich Novy 2021-01-06 09:08:26 UTC 
Confirming the PR noted in comment #10 is applied in current 8.3.1 podman. Leaving this to Giuseppe to confirm.
Comment 22 errata-xmlrpc 2021-02-16 14:21:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0531
Comment 23 Red Hat Bugzilla 2023-09-15 00:48:28 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.