2166195 – Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2166195 - Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted

Summary: Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	buildah
Sub Component:
Version:	8.8
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jindrich Novy
QA Contact:	Alex Jia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2166225 2178263 2183667
TreeView+	depends on / blocked

Reported:	2023-02-01 06:04 UTC by Alex Jia
Modified:	2024-03-14 04:25 UTC (History)
CC List:	10 users (show)
Fixed In Version:	buildah-1.29.1-3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2166225 2178263 2183667 (view as bug list)
Environment:
Last Closed:	2023-11-14 15:27:28 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	containers/storage/commit/1af3928e9bf16d9c39d3d60bf3ec6bb7167989a6	None	None	None	2023-02-03 12:09:10 UTC
Red Hat Issue Tracker	RHELPLAN-147227	None	None	None	2023-02-01 06:05:49 UTC
Red Hat Product Errata	RHSA-2023:6939	None	None	None	2023-11-14 15:28:44 UTC

Description Alex Jia 2023-02-01 06:04:25 UTC

Description of problem:
It's failed to pull image inside the buildah-container and got error like this "Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted"

Version-Release number of selected component (if applicable):
[root@kvm-04-guest12 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.8 Beta (Ootpa)

[root@kvm-04-guest12 ~]# rpm -q podman runc systemd kernel
podman-4.3.1-2.module+el8.8.0+17695+8a9c0c1b.x86_64
runc-1.1.4-1.module+el8.8.0+17695+8a9c0c1b.x86_64
systemd-239-70.el8.x86_64
kernel-4.18.0-453.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. podman run --rm --device /dev/fuse -it registry.XXX/rhel8-buildah:8.8-1
2. buildah from ubi8

Actual results:
[root@kvm-04-guest12 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-1
[root@b4036ea892bd /]# rpm -q buildah fuse-overlayfs
buildah-1.28.2-2.module+el8.8.0+17695+8a9c0c1b.x86_64
fuse-overlayfs-1.10-1.module+el8.8.0+17695+8a9c0c1b.x86_64
[root@b4036ea892bd /]# buildah --log-level=debug from ubi8
DEBU[0000] Pull Policy for pull [ifnewer]               
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: imagestore=/var/lib/shared          
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: imagestore=/var/lib/shared          
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
WARN[0000] failed to shutdown storage: "mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted" 


Expected results:


Additional info:

Comment 1 Alex Jia 2023-02-01 08:16:13 UTC

(In reply to Alex Jia from comment #0)
> Description of problem:
> It's failed to pull image inside the buildah-container and got error like
> this "Error: mount
> /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay,
> flags: 0x1000: operation not permitted"
> 

In fact, it's failed to run any buildah comand except help inside builldah container.

[root@b4036ea892bd /]# buildah --log-level=debug info
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: imagestore=/var/lib/shared          
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: imagestore=/var/lib/shared          
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs 
WARN[0000] failed to shutdown storage: "mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted"

Comment 4 Giuseppe Scrivano 2023-02-02 09:13:07 UTC

I think this is fixed in containers/storage by 1af3928e9bf16d9c39d3d60bf3ec6bb7167989a6

Comment 10 Alex Jia 2023-03-08 03:03:21 UTC

It works well after adding --cap-add sys_chroot, and a new article explains the case where a container need sys_chroot.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index#proc_running-buildah-in-a-container_assembly_running-skopeo-buildah-and-podman-in-a-container
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/building_running_and_managing_containers/index#proc_running-buildah-in-a-container_assembly_running-skopeo-buildah-and-podman-in-a-container

Comment 21 Giuseppe Scrivano 2023-03-23 20:09:22 UTC

can you please confirm you don't have CAP_SYS_CHROOT in the container?

Please show me the output for:

podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.7-10 cat /proc/self/status

Also, do you have any /etc/containers/containers.conf file left on the host?

If the capability is added to the default set, I'd expect it to work without having to specify it manually

Comment 22 Alex Jia 2023-03-24 00:13:16 UTC

(In reply to Giuseppe Scrivano from comment #21)
> can you please confirm you don't have CAP_SYS_CHROOT in the container?
> 
> Please show me the output for:
> 
> podman run --rm --device /dev/fuse -it
> registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.7-10 cat
> /proc/self/status

No cap_sys_chroot is inside the rhel8-buildah:8.7-10 w/o --cap-add sys_chroot option is added into podman cmdline on podman-4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64.

[root@kvm-04-guest20 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.7-10 cat /proc/self/status|grep -E "^Cap"
CapInh:	0000000000000000
CapPrm:	00000000800025fb
CapEff:	00000000800025fb
CapBnd:	00000000800025fb
CapAmb:	0000000000000000
[root@kvm-04-guest20 ~]# capsh --decode=00000000800025fb
0x00000000800025fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_setfcap

> 
> Also, do you have any /etc/containers/containers.conf file left on the host?

Nope.

[root@kvm-04-guest20 ~]# ls /etc/containers/containers.conf
ls: cannot access '/etc/containers/containers.conf': No such file or directory

[root@kvm-04-guest20 ~]# rpm -qf /etc/containers/containers.conf
containers-common-1-63.module+el8.8.0+18438+15d3aa65.x86_64

BTW, the "SYS_CHROOT" is added into /usr/share/containers/containers.conf on containers-common-1-51.module+el8.8.0+17823+c4e3c815.x86_64,
but not found in /usr/share/containers/containers.conf for containers-common-1-63.module+el8.8.0+18438+15d3aa65.x86_64.

# rpm -q containers-common
containers-common-1-51.module+el8.8.0+17823+c4e3c815.x86_64

# grep -iR sys_chroot /usr/share/containers/
/usr/share/containers/containers.conf:  "SYS_CHROOT"
/usr/share/containers/seccomp.json:					"CAP_SYS_CHROOT"
/usr/share/containers/seccomp.json:					"CAP_SYS_CHROOT"

> 
> If the capability is added to the default set, I'd expect it to work without
> having to specify it manually

Actually, it doesn't work if users don't add --cap-add sys_chroot option when running buildah container by podman

[root@kvm-04-guest20 ~]# podman run --cap-add sys_chroot --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.7-10 cat /proc/self/status|grep -E "^Cap"
CapInh:	0000000000000000
CapPrm:	00000000800425fb
CapEff:	00000000800425fb
CapBnd:	00000000800425fb
CapAmb:	0000000000000000
[root@kvm-04-guest20 ~]# capsh --decode=00000000800425fb
0x00000000800425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_setfcap

Comment 23 Giuseppe Scrivano 2023-03-25 10:27:45 UTC

Thanks!

Please show the entire content of /usr/share/containers/containers.conf

What error do you get if you don't add sys_chroot?

# podman run --rm -it fedora cat /proc/self/status|grep -E "^Cap"

Comment 25 Giuseppe Scrivano 2023-03-28 07:22:40 UTC

that seems like the expected result given there is no sys_chroot in the default_capabilities in the file you've showed above.

I see:

default_capabilities = [
  "NET_RAW",
  "CHOWN",
  "DAC_OVERRIDE",
  "FOWNER",
  "FSETID",
  "KILL",
  "NET_BIND_SERVICE",
  "SETFCAP",
  "SETGID",
  "SETPCAP",
  "SETUID",
]

If we want to have that capability without adding it explicitly on the command line, then we must ensure it is listed in the default_capabilities:

default_capabilities = [
  "NET_RAW",
  "CHOWN",
  "DAC_OVERRIDE",
  "FOWNER",
  "FSETID",
  "KILL",
  "NET_BIND_SERVICE",
  "SETFCAP",
  "SETGID",
  "SETPCAP",
  "SETUID",
  "SYS_CHROOT"
]

@Jindrich, could we add it as a RHEL-only patch?

Comment 26 Jindrich Novy 2023-03-28 08:55:43 UTC

Hi Giuseppe, the fix is already applied in 8.9.0 but will take a while to propagate as there are currently build issues with the 8.9.0 module.

Comment 35 Alex Jia 2023-04-04 00:21:13 UTC

This bug hasn't been fixed completely by buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79,
and need to wait for new buildah-1.29.1-3 bulid ready.

[root@kvm-02-guest08 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.8 (Ootpa)

[root@kvm-02-guest08 ~]# rpm -q podman buildah containers-common runc systemd kernel
podman-4.4.1-10.module+el8.8.0+18555+491facf3.x86_64
buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79.x86_64
containers-common-1-63.module+el8.8.0+18438+15d3aa65.x86_64
runc-1.1.4-1.module+el8.8.0+18060+3f21f2cc.x86_64
systemd-239-74.el8_8.x86_64
kernel-4.18.0-477.7.1.el8_8.x86_64

[root@kvm-02-guest08 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3
Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3...
Getting image source signatures
Copying blob 40635c589740 done  
Copying blob 5d5f3559a9ea done  
Copying config b3041480f0 done  
Writing manifest to image destination
Storing signatures
[root@2f6841f52a0a /]# rpm -q buildah containers-common fuse-overlayfs
buildah-1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64
containers-common-1-62.module+el8.8.0+18251+ad5b274c.x86_64
fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64
[root@2f6841f52a0a /]# buildah from ubi8
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob c4877503c8d2 done  
Copying config 36660eab1e done  
Writing manifest to image destination
Storing signatures
ubi8-working-container
[root@2f6841f52a0a /]# buildah ps
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
c34ab7204f21     *     36660eab1ea3 registry.access.redhat.com/ub... ubi8-working-container
[root@2f6841f52a0a /]# buildah run --isolation=chroot ubi8-working-container ls /
Error: error in copier subprocess: chrooting to directory "/var/lib/containers/storage/overlay/fdac4ee1f2dea5731e9dc9728ce2b4a9db1197074a7a2f85704d1383ca5ebf55/merged": operation not permitted
[root@2f6841f52a0a /]# exit
exit
[root@kvm-02-guest08 ~]# echo $?
125

Comment 36 Alex Jia 2023-04-07 01:23:26 UTC

This bug has been verified for buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79 with containers-common-1-64.module+el8.8.0+18571+eed59fc4.

[root@kvm-01-guest11 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.8 (Ootpa)

[root@kvm-01-guest11 ~]# grep -iB1 sys_chroot /usr/share/containers/containers.conf
default_capabilities = [
  "SYS_CHROOT",

[root@kvm-01-guest11 ~]# rpm -qf /usr/share/containers/containers.conf
containers-common-1-64.module+el8.8.0+18571+eed59fc4.x86_64

[root@kvm-01-guest11 ~]# rpm -q podman buildah runc systemd kernel
podman-4.4.1-10.module+el8.8.0+18555+491facf3.x86_64
buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79.x86_64
runc-1.1.4-1.module+el8.8.0+18060+3f21f2cc.x86_64
systemd-239-74.el8_8.x86_64
kernel-4.18.0-477.9.1.el8_8.x86_64

[root@kvm-01-guest11 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3
Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3...
Getting image source signatures
Copying blob 40635c589740 done  
Copying blob 5d5f3559a9ea done  
Copying config b3041480f0 done  
Writing manifest to image destination
Storing signatures
[root@12b8d0de88ca /]# rpm -q buildah containers-common fuse-overlayfs
buildah-1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64
containers-common-1-62.module+el8.8.0+18251+ad5b274c.x86_64
fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64
[root@12b8d0de88ca /]# buildah from ubi8
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 6208c5a2e205 done  
Copying config 768688a189 done  
Writing manifest to image destination
Storing signatures
ubi8-working-container
[root@12b8d0de88ca /]# buildah ps
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
2cb22145e5d5     *     768688a18971 registry.access.redhat.com/ub... ubi8-working-container
[root@12b8d0de88ca /]# buildah run --isolation=chroot ubi8-working-container ls /
bin  boot  dev	etc  home  lib	lib64  lost+found  media  mnt  opt  proc  root	run  sbin  srv	sys  tmp  usr  var
[root@12b8d0de88ca /]# exit
exit
[root@kvm-01-guest11 ~]# echo $?
0

Comment 39 Alex Jia 2023-05-06 06:41:06 UTC

This bug has also been verified on buildah-1.24.6-5.module+el8.9.0+18802+1dedc6a4.

[root@kvm-01-guest14 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.9 Beta (Ootpa)

[root@kvm-01-guest14 ~]# rpm -q podman buildah containers-common runc systemd kernel
podman-4.0.2-21.module+el8.9.0+18802+1dedc6a4.x86_64
buildah-1.24.6-5.module+el8.9.0+18802+1dedc6a4.x86_64
containers-common-1-38.module+el8.9.0+18802+1dedc6a4.x86_64
runc-1.1.5-1.module+el8.9.0+18802+1dedc6a4.x86_64
systemd-239-75.el8.x86_64
kernel-4.18.0-489.el8.x86_64

[root@kvm-01-guest14 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-5
Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-5...
Getting image source signatures
Copying blob 6f24d1d7e470 done  
Copying blob 0fa65fe5c23e done  
Copying config 532b0e56b4 done  
Writing manifest to image destination
Storing signatures
[root@48ee87423367 /]# rpm -q buildah containers-common fuse-overlayfs
buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79.x86_64
containers-common-1-64.module+el8.8.0+18571+eed59fc4.x86_64
fuse-overlayfs-1.11-1.module+el8.8.0+18634+9a268292.x86_64
[root@48ee87423367 /]# buildah from ubi8
Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi8:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 6208c5a2e205 done  
Copying config 768688a189 done  
Writing manifest to image destination
Storing signatures
ubi8-working-container
[root@48ee87423367 /]# buildah ps
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
241a9db97a18     *     768688a18971 registry.access.redhat.com/ub... ubi8-working-container
[root@48ee87423367 /]# buildah run --isolation=chroot ubi8-working-container ls /
bin  boot  dev	etc  home  lib	lib64  lost+found  media  mnt  opt  proc  root	run  sbin  srv	sys  tmp  usr  var
[root@48ee87423367 /]# exit
exit
[root@kvm-01-guest14 ~]# echo $?
0

Comment 41 Alex Jia 2023-05-23 05:52:46 UTC

This bug has been verified on buildah-1.29.1-4.module+el8.9.0+18893+0b9f3df9 w/ containers-common-1-64.module+el8.8.0+18571+eed59fc4.

Comment 43 errata-xmlrpc 2023-11-14 15:27:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6939

Comment 44 Red Hat Bugzilla 2024-03-14 04:25:18 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.