RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1944473 - [Edge] RHEL-Edge container image failed start with Permission denied error
Summary: [Edge] RHEL-Edge container image failed start with Permission denied error
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: osbuild-composer
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Christian Kellner
QA Contact: Xiaofeng Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-30 02:19 UTC by Xiaofeng Wang
Modified: 2021-08-12 09:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-12 09:48:07 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github osbuild osbuild pull 623 0 None open stages/oci-archive: include limited set of xattrs 2021-03-30 11:55:26 UTC

Description Xiaofeng Wang 2021-03-30 02:19:58 UTC 
Description of problem:
RHEL-Edge container image failed start on RHEL 8.4 when selinux enabled and container report "Permission denied" error.

$ sudo podman ps -a
CONTAINER ID  IMAGE                                   COMMAND               CREATED        STATUS                    PORTS   NAMES
bb75f8cb7597  docker.io/henrywangxf/rhel-edge:latest  httpd -D FOREGROU...  3 seconds ago  Exited (1) 3 seconds ago          rhel-edge
$ sudo podman logs rhel-edge
httpd: Syntax error on line 59 of /etc/httpd/conf/httpd.conf: Could not open config directory /etc/httpd/conf.modules.d: Permission denied

This issue can be found on OCP4 as well with the same error message.

If run container image on Fedora 33 or disable selinux on host(RHEL 8.4), things work well.

Version-Release number of selected component (if applicable):
osbuild-composer-worker-28.3-1.el8.x86_64
osbuild-composer-28.3-1.el8.x86_64
osbuild-selinux-27-1.el8.noarch
python3-osbuild-27-1.el8.noarch
osbuild-ostree-27-1.el8.noarch
osbuild-composer-core-28.3-1.el8.x86_64
osbuild-27-1.el8.noarch

How reproducible:

Steps to Reproduce:
1. Install osbuild*
2. Configure blueprint in container.toml
$ cat container.toml
name = "container"
description = "A base rhel-edge container image"
version = "0.0.1"
modules = []
groups = []
3. Push container.toml
$ sudo composer-cli blueprints push container.toml
4. Check package dependens
$ sudo composer-cli blueprints depsolve container
5. Build image
$ sudo composer-cli compose start-ostree container rhel-edge-container
6. Wait until it's FINISHED
$ sudo composer-cli compose status
6. Download image
$ sudo composer-cli compose image e4fa3a99-11f4-4035-971c-fbc58c49725c
7. Upload image to docker.io or import it locally
$ skopeo copy --dest-creds username:password oci-archive:e4fa3a99-11f4-4035-971c-fbc58c49725c-rhel84-container.tar docker://docker.io/username/rhel-edge:lates
or
$ sudo podman pull "oci-archive:e4fa3a99-11f4-4035-971c-fbc58c49725c-rhel84-container.tar"
8. Run image
$ sudo podman run -d --name rhel-edge --network host docker.io/henrywangxf/rhel-edge:latest
or
$ sudo podman run -d --name rhel-edge --network host <image id>

Actual results:
$ sudo podman ps -a
CONTAINER ID  IMAGE                                   COMMAND               CREATED        STATUS                    PORTS   NAMES
bb75f8cb7597  docker.io/henrywangxf/rhel-edge:latest  httpd -D FOREGROU...  3 seconds ago  Exited (1) 3 seconds ago          rhel-edge
$ sudo podman logs rhel-edge
httpd: Syntax error on line 59 of /etc/httpd/conf/httpd.conf: Could not open config directory /etc/httpd/conf.modules.d: Permission denied

Expected results:
Run container successfully

Additional info:
Comment 1 Christian Kellner 2021-03-30 11:55:27 UTC 
Even though we specify `--no-selinux`, it seems that selinux found its way into the extended attributes (probably via `--xattrs`). A patched to fix the issue is proposed at https://github.com/osbuild/osbuild/pull/623
Comment 2 Xiaofeng Wang 2021-03-31 06:33:53 UTC 
Verified.
python3-osbuild-27-1.20210330gitf119243.20210330gitf119243.el8.noarch
osbuild-composer-core-28.3-1.el8.x86_64
osbuild-selinux-27-1.20210330gitf119243.20210330gitf119243.el8.noarch
osbuild-ostree-27-1.20210330gitf119243.20210330gitf119243.el8.noarch
osbuild-composer-28.3-1.el8.x86_64
osbuild-27-1.20210330gitf119243.20210330gitf119243.el8.noarch
osbuild-composer-worker-28.3-1.el8.x86_64

[cloud-user@new-rhel-8-4 ~]$ sudo podman pull "oci-archive:51ec99b2-2614-4996-990d-49460e96649d-rhel84-container.tar"
Getting image source signatures
Copying blob 1620ce53176f done
Copying config 7ff08ec73c done
Writing manifest to image destination
Storing signatures
7ff08ec73cd429d6a563503c903a48c2d2dafe08bb4211c1262ebf4f15500cbe

[cloud-user@new-rhel-8-4 ~]$ sudo podman images
REPOSITORY  TAG     IMAGE ID      CREATED        SIZE
<none>      <none>  7ff08ec73cd4  7 minutes ago  1.26 GB

[cloud-user@new-rhel-8-4 ~]$ sudo podman run -d --name rhel-edge --network host 7ff08ec73cd4
5a7f1f99a00a17de59052db5977ffad194c74974cb8df2a524407033efb39f3b

[cloud-user@new-rhel-8-4 ~]$ sudo podman ps -a
CONTAINER ID  IMAGE         COMMAND               CREATED        STATUS            PORTS   NAMES
5a7f1f99a00a  7ff08ec73cd4  httpd -D FOREGROU...  4 seconds ago  Up 5 seconds ago          rhel-edge

[cloud-user@new-rhel-8-4 ~]$ curl http://192.168.100.1/repo/refs/heads/rhel/8/x86_64/edge
cabb3b524564bb7012c144d6f2050bfee4a8e38492f3a8490e001cdf1a6640e1
Comment 3 Xiaofeng Wang 2021-04-02 11:02:39 UTC 
Verified on
python3-osbuild-27.1-1.el8.noarch
osbuild-composer-worker-28.3-1.el8.x86_64
osbuild-27.1-1.el8.noarch
osbuild-composer-core-28.3-1.el8.x86_64
osbuild-composer-28.3-1.el8.x86_64
osbuild-ostree-27.1-1.el8.noarch
osbuild-selinux-27.1-1.el8.noarch

[cloud-user@new-rhel-8-4 ~]$ sudo composer-cli compose status
7e3aa505-1472-44a5-936c-23e122081310 FINISHED Thu Apr  1 23:35:48 2021 container       0.0.1 rhel-edge-container

[cloud-user@new-rhel-8-4 ~]$ sudo composer-cli compose image 7e3aa505-1472-44a5-936c-23e122081310
7e3aa505-1472-44a5-936c-23e122081310-rhel84-container.tar: 782.79 MB

[cloud-user@new-rhel-8-4 ~]$ skopeo copy oci-archive:7e3aa505-1472-44a5-936c-23e122081310-rhel84-container.tar docker://quay.io/xiaofwan/rhel-edge:latest
Getting image source signatures
Copying blob addaa19507ad done
Copying config 982d206d0f done
Writing manifest to image destination
Copying config 982d206d0f [======================================] 471.0b / 471.0b
Writing manifest to image destination
Storing signatures

[cloud-user@new-rhel-8-4 ~]$ sudo podman pull quay.io/xiaofwan/rhel-edge:latest
Trying to pull quay.io/xiaofwan/rhel-edge:latest...
Getting image source signatures
Copying blob addaa19507ad done
Copying config 982d206d0f done
Writing manifest to image destination
Storing signatures
982d206d0f470e1ce0f1380309efa5c2d47857c6bb1bee3c81b8ee9210b08cfc

[cloud-user@new-rhel-8-4 ~]$ sudo podman images
REPOSITORY                  TAG     IMAGE ID      CREATED      SIZE
quay.io/xiaofwan/rhel-edge  latest  982d206d0f47  7 hours ago  1.26 GB
<none>                      <none>  f4f290da2ecc  3 days ago   1.25 GB

[cloud-user@new-rhel-8-4 ~]$ sudo podman run -d --name rhel-edge --network host quay.io/xiaofwan/rhel-edge:latest
3c6c43e3d839e347687d88e70229c6b2a03ead1f33122c528e944ee465596f4e

[cloud-user@new-rhel-8-4 ~]$ sudo podman ps -a
CONTAINER ID  IMAGE                              COMMAND               CREATED        STATUS            PORTS   NAMES
3c6c43e3d839  quay.io/xiaofwan/rhel-edge:latest  httpd -D FOREGROU...  3 seconds ago  Up 3 seconds ago          rhel-edge

[cloud-user@new-rhel-8-4 ~]$ curl http://192.168.100.1/repo/refs/heads/rhel/8/x86_64/edge
efd2d3c1ae577323c700d0a275c66928e23e6209ef078e22d98ec20772fb12b0

[cloud-user@new-rhel-8-4 ~]$ getenforce
Enforcing
Comment 4 Ondřej Budai 2021-08-12 09:48:07 UTC 
I believe that these packages are already shipped in RHEL 8.4, therefore I'm closing this bug. Feel free to reopen if I'm wrong.
Note You need to log in before you can comment on or make changes to this bug.