Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
The libseccomp is 2.4.3-1 both on newest RHEL-8.3 and RHEL-8.4, and
the fuse-overlayfs is 1.3.0-2 inside the buildah-container-8.3-22,
this bug hasn't been fixed yet.
[root@kvm-07-guest35 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)
[root@kvm-07-guest35 ~]# rpm -q libseccomp podman runc
libseccomp-2.4.3-1.el8.x86_64
podman-2.2.1-7.module+el8.3.1+9857+68fb1526.x86_64
runc-1.0.0-70.rc92.module+el8.3.1+9857+68fb1526.x86_64
[root@kvm-07-guest35 ~]# podman pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22
Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22...
Getting image source signatures
Copying blob 6b536614e8f8 done
Copying blob fdb393d8227c done
Copying blob 7bd57215fc95 done
Copying config 2ac1d7d21c done
Writing manifest to image destination
Storing signatures
2ac1d7d21cb497085a0e937d11e2dba35c885a57a9f20889bbc65c1126dbc2ac
[root@kvm-07-guest35 ~]# podman run --name rhel8-buildah --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22 /bin/bash
[root@aec63aecb7a1 /]# rpm -q buildah fuse-overlayfs containers-common
buildah-1.16.7-4.module+el8.3.1+9857+68fb1526.x86_64
fuse-overlayfs-1.3.0-2.module+el8.3.1+9857+68fb1526.x86_64
containers-common-1.2.0-9.module+el8.3.1+9857+68fb1526.x86_64
[root@aec63aecb7a1 /]# buildah info|grep -iA4 graphoption
"GraphOptions": [
"overlay.imagestore=/var/lib/shared",
"overlay.mount_program=/usr/bin/fuse-overlayfs",
"overlay.mountopt=nodev,metacopy=on"
],
[root@aec63aecb7a1 /]# buildah from registry.access.redhat.com/ubi8
Getting image source signatures
Copying blob cca21acb641a done
Copying blob d9e72d058dc5 done
Copying config 3269c37eae done
Writing manifest to image destination
Storing signatures
ubi8-working-container
[root@aec63aecb7a1 /]# buildah run --isolation=chroot ubi8-working-container ls /
error running subprocess: error bind mounting /dev from host into mount namespace: mkdir /var/tmp/buildah396083642/mnt/rootfs/dev: operation not permitted
exit status 1
ERRO exit status 1
[root@kvm-07-guest32 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.4 Beta (Ootpa)
[root@kvm-07-guest32 ~]# rpm -q libseccomp podman runc
libseccomp-2.4.3-1.el8.x86_64
podman-3.0.0-0.38rc2.module+el8.4.0+9804+5385893b.x86_64
runc-1.0.0-70.rc92.module+el8.4.0+9804+5385893b.x86_64
[root@kvm-07-guest32 ~]# podman pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22
Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22...
Getting image source signatures
Copying blob 6b536614e8f8 done
Copying blob fdb393d8227c done
Copying blob 7bd57215fc95 done
Copying config 2ac1d7d21c done
Writing manifest to image destination
Storing signatures
2ac1d7d21cb497085a0e937d11e2dba35c885a57a9f20889bbc65c1126dbc2ac
[root@kvm-07-guest32 ~]# podman run --name rhel8-buildah --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22 /bin/bash
[root@fc429e519662 /]# rpm -q buildah fuse-overlayfs containers-common
buildah-1.16.7-4.module+el8.3.1+9857+68fb1526.x86_64
fuse-overlayfs-1.3.0-2.module+el8.3.1+9857+68fb1526.x86_64
containers-common-1.2.0-9.module+el8.3.1+9857+68fb1526.x86_64
[root@fc429e519662 /]# buildah info|grep -iA4 graphoption
"GraphOptions": [
"overlay.imagestore=/var/lib/shared",
"overlay.mount_program=/usr/bin/fuse-overlayfs",
"overlay.mountopt=nodev,metacopy=on"
],
[root@fc429e519662 /]# buildah from registry.access.redhat.com/ubi8
Getting image source signatures
Copying blob cca21acb641a done
Copying blob d9e72d058dc5 done
Copying config 3269c37eae done
Writing manifest to image destination
Storing signatures
ubi8-working-container
[root@fc429e519662 /]# buildah run --isolation=chroot ubi8-working-container ls /
error running subprocess: error bind mounting /dev from host into mount namespace: mkdir /var/tmp/buildah955304116/mnt/rootfs/dev: operation not permitted
exit status 1
ERRO exit status 1
Reply from Giuseppe Scrivano:
The issue seems to be an old libseccomp that doesn't know about these
new syscalls.
I've installed libseccomp-2.5.O (from RHEL 9 builds) on the machine and
now the container works fine.
We need libseccomp-2.5.0 as the version on RHEL 8 misses the definition
for openat2 as well as some other ones, so they are ignored even if
defined in the seccomp.json profile.
Version-Release number of selected component (if applicable):
libseccomp-2.4.x
How reproducible:
always
Steps to Reproduce:
as noted above and in bug #1921863
Actual results:
fails
Expected results:
runs
I'm reproducing this issue (according to gscrivan) on Centos 8 (glibc-2.28-127.el8, libseccomp-2.4.3-1.el8, podman-2.0.5-5.module_el8.3.0+512+b3b58dca) when running an interactive Fedora 34 (beta) shell. The problem does not reproduce from a non-interactive shell, or using a Fedora 33 container.
[root@cevich]# podman run -it --rm fedora:34 test -r /root/anaconda-ks.cfg; echo $?
0
[root@cevich]# podman run -it --rm fedora:34
[root@b07faa651016 /]# ls -la /root/anaconda-ks.cfg
-rw-------. 1 root root 3453 Feb 17 09:55 /root/anaconda-ks.cfg
[root@b07faa651016 /]# test -r /root/anaconda-ks.cfg
[root@b07faa651016 /]# echo $?
1
[root@b07faa651016 /]# rpm -q glibc
glibc-2.32.9000-29.fc34.x86_64
[root@b07faa651016 /]# exit
exit
[root@cevich]# podman run -it --rm fedora:33 test -r /root/anaconda-ks.cfg; echo $?
0
[root@cevich]# podman run -it --rm fedora:33
[root@10c8edfb69cc /]# ls -la /root/anaconda-ks.cfg
-rw-------. 1 root root 3664 Feb 17 07:48 /root/anaconda-ks.cfg
[root@10c8edfb69cc /]# test -r /root/anaconda-ks.cfg
[root@10c8edfb69cc /]# echo $?
0
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (libseccomp bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2021:1729
Description of problem: The libseccomp is 2.4.3-1 both on newest RHEL-8.3 and RHEL-8.4, and the fuse-overlayfs is 1.3.0-2 inside the buildah-container-8.3-22, this bug hasn't been fixed yet. [root@kvm-07-guest35 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.3 (Ootpa) [root@kvm-07-guest35 ~]# rpm -q libseccomp podman runc libseccomp-2.4.3-1.el8.x86_64 podman-2.2.1-7.module+el8.3.1+9857+68fb1526.x86_64 runc-1.0.0-70.rc92.module+el8.3.1+9857+68fb1526.x86_64 [root@kvm-07-guest35 ~]# podman pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22 Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22... Getting image source signatures Copying blob 6b536614e8f8 done Copying blob fdb393d8227c done Copying blob 7bd57215fc95 done Copying config 2ac1d7d21c done Writing manifest to image destination Storing signatures 2ac1d7d21cb497085a0e937d11e2dba35c885a57a9f20889bbc65c1126dbc2ac [root@kvm-07-guest35 ~]# podman run --name rhel8-buildah --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22 /bin/bash [root@aec63aecb7a1 /]# rpm -q buildah fuse-overlayfs containers-common buildah-1.16.7-4.module+el8.3.1+9857+68fb1526.x86_64 fuse-overlayfs-1.3.0-2.module+el8.3.1+9857+68fb1526.x86_64 containers-common-1.2.0-9.module+el8.3.1+9857+68fb1526.x86_64 [root@aec63aecb7a1 /]# buildah info|grep -iA4 graphoption "GraphOptions": [ "overlay.imagestore=/var/lib/shared", "overlay.mount_program=/usr/bin/fuse-overlayfs", "overlay.mountopt=nodev,metacopy=on" ], [root@aec63aecb7a1 /]# buildah from registry.access.redhat.com/ubi8 Getting image source signatures Copying blob cca21acb641a done Copying blob d9e72d058dc5 done Copying config 3269c37eae done Writing manifest to image destination Storing signatures ubi8-working-container [root@aec63aecb7a1 /]# buildah run --isolation=chroot ubi8-working-container ls / error running subprocess: error bind mounting /dev from host into mount namespace: mkdir /var/tmp/buildah396083642/mnt/rootfs/dev: operation not permitted exit status 1 ERRO exit status 1 [root@kvm-07-guest32 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.4 Beta (Ootpa) [root@kvm-07-guest32 ~]# rpm -q libseccomp podman runc libseccomp-2.4.3-1.el8.x86_64 podman-3.0.0-0.38rc2.module+el8.4.0+9804+5385893b.x86_64 runc-1.0.0-70.rc92.module+el8.4.0+9804+5385893b.x86_64 [root@kvm-07-guest32 ~]# podman pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22 Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22... Getting image source signatures Copying blob 6b536614e8f8 done Copying blob fdb393d8227c done Copying blob 7bd57215fc95 done Copying config 2ac1d7d21c done Writing manifest to image destination Storing signatures 2ac1d7d21cb497085a0e937d11e2dba35c885a57a9f20889bbc65c1126dbc2ac [root@kvm-07-guest32 ~]# podman run --name rhel8-buildah --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.3-22 /bin/bash [root@fc429e519662 /]# rpm -q buildah fuse-overlayfs containers-common buildah-1.16.7-4.module+el8.3.1+9857+68fb1526.x86_64 fuse-overlayfs-1.3.0-2.module+el8.3.1+9857+68fb1526.x86_64 containers-common-1.2.0-9.module+el8.3.1+9857+68fb1526.x86_64 [root@fc429e519662 /]# buildah info|grep -iA4 graphoption "GraphOptions": [ "overlay.imagestore=/var/lib/shared", "overlay.mount_program=/usr/bin/fuse-overlayfs", "overlay.mountopt=nodev,metacopy=on" ], [root@fc429e519662 /]# buildah from registry.access.redhat.com/ubi8 Getting image source signatures Copying blob cca21acb641a done Copying blob d9e72d058dc5 done Copying config 3269c37eae done Writing manifest to image destination Storing signatures ubi8-working-container [root@fc429e519662 /]# buildah run --isolation=chroot ubi8-working-container ls / error running subprocess: error bind mounting /dev from host into mount namespace: mkdir /var/tmp/buildah955304116/mnt/rootfs/dev: operation not permitted exit status 1 ERRO exit status 1 Reply from Giuseppe Scrivano: The issue seems to be an old libseccomp that doesn't know about these new syscalls. I've installed libseccomp-2.5.O (from RHEL 9 builds) on the machine and now the container works fine. We need libseccomp-2.5.0 as the version on RHEL 8 misses the definition for openat2 as well as some other ones, so they are ignored even if defined in the seccomp.json profile. Version-Release number of selected component (if applicable): libseccomp-2.4.x How reproducible: always Steps to Reproduce: as noted above and in bug #1921863 Actual results: fails Expected results: runs