Bug 2183667
| Summary: | Error: mount /var/lib/containers/storage/overlay:/var/lib/containers/storage/overlay, flags: 0x1000: operation not permitted [rhel-8.8.0.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | RHEL Program Management Team <pgm-rhel-tools> |
| Component: | buildah | Assignee: | Tom Sweeney <tsweeney> |
| Status: | CLOSED ERRATA | QA Contact: | Alex Jia <ajia> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.8 | CC: | ajia, arajan, dwalsh, gscrivan, jnovy, mboddu, pthomas, szidek, tsweeney, umohnani, vrothber, ypu |
| Target Milestone: | rc | Keywords: | Triaged, ZStream |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | buildah-1.29.1-2.el8_8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2166195 | Environment: | |
| Last Closed: | 2023-05-16 10:01:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2166195 | ||
| Bug Blocks: | |||
|
Comment 6
Alex Jia
2023-04-04 00:17:47 UTC
When I try the Podman command to run RHEL, I'm getting a cert error on my Fedora machine: # podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3 Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3... Error: initializing source docker://registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3: pinging container registry registry-proxy.engineering.redhat.com: Get "https://registry-proxy.engineering.redhat.com/v2/": x509: certificate signed by unknown authority However, when I run the Buildah commands by themselves on Fedora, everything works: # buildah -v buildah version 1.29.1 (image-spec 1.0.2-dev, runtime-spec 1.0.2-dev) # buildah from ubi8 Trying to pull registry.access.redhat.com/ubi8:latest... Getting image source signatures Checking if image destination supports signatures Copying blob 6208c5a2e205 done Copying config 768688a189 done Writing manifest to image destination Storing signatures ubi8-working-container # buildah ps CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME c757b9985248 * 768688a18971 registry.access.redhat.com/ub... ubi8-working-container # buildah run --isolation=chroot ubi8-working-container ls / bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var Valentin, could you give it a try when you get in please? @jnovy The containers-common rpm version in that RHEL:8.8-3 image looks a little wonky to me. Can you verify that's correct please? containers-common-1-63.module+el8.8.0+18438+15d3aa65.x86_64 (In reply to Tom Sweeney from comment #9) > @jnovy The containers-common rpm version in that RHEL:8.8-3 image > looks a little wonky to me. Can you verify that's correct please? > > containers-common-1-63.module+el8.8.0+18438+15d3aa65.x86_64 Yes, please check whether `containers-common` sets the `default_capabilities=...` field. It should not anymore (or add back SYS_CHROOT). In /etc/containers/containers.conf. Works for me: [root@ci-vm-10-0-137-115 ~]# dnf install podman buildah Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:01:10 ago on Wed 05 Apr 2023 04:28:39 AM EDT. Dependencies resolved. ============================================================================================================================================================================= Package Architecture Version Repository Size ============================================================================================================================================================================= Installing: buildah x86_64 1:1.29.1-1.module+el8.8.0+18195+471da4bb rhel-AppStream 8.8 M podman x86_64 3:4.4.1-8.module+el8.8.0+18438+15d3aa65 rhel-AppStream 15 M Installing dependencies: conmon x86_64 3:2.1.6-1.module+el8.8.0+18098+9b44df5f rhel-AppStream 57 k container-selinux noarch 2:2.205.0-2.module+el8.8.0+18438+15d3aa65 rhel-AppStream 64 k containernetworking-plugins x86_64 1:1.2.0-1.module+el8.8.0+18060+3f21f2cc rhel-AppStream 20 M containers-common x86_64 2:1-63.module+el8.8.0+18438+15d3aa65 rhel-AppStream 129 k criu x86_64 3.15-3.module+el8.8.0+18060+3f21f2cc rhel-AppStream 518 k fuse-common x86_64 3.3.0-16.el8 rhel 22 k fuse-overlayfs x86_64 1.10-1.module+el8.8.0+18060+3f21f2cc rhel-AppStream 74 k fuse3 x86_64 3.3.0-16.el8 rhel 54 k fuse3-libs x86_64 3.3.0-16.el8 rhel 95 k libnet x86_64 1.1.6-15.el8 rhel-AppStream 67 k libslirp x86_64 4.4.0-1.module+el8.8.0+18060+3f21f2cc rhel-AppStream 70 k podman-catatonit x86_64 3:4.4.1-8.module+el8.8.0+18438+15d3aa65 rhel-AppStream 361 k protobuf-c x86_64 1.3.0-6.el8 rhel-AppStream 37 k runc x86_64 1:1.1.4-1.module+el8.8.0+18060+3f21f2cc rhel-AppStream 3.1 M shadow-utils-subid x86_64 2:4.6-17.el8 rhel 113 k slirp4netns x86_64 1.2.0-2.module+el8.8.0+18060+3f21f2cc rhel-AppStream 54 k Enabling module streams: container-tools rhel8 Transaction Summary ============================================================================================================================================================================= Install 18 Packages Total download size: 48 M Installed size: 148 M Is this ok [y/N]: y Downloading Packages: (1/18): fuse-common-3.3.0-16.el8.x86_64.rpm 781 kB/s | 22 kB 00:00 (2/18): fuse3-3.3.0-16.el8.x86_64.rpm 1.7 MB/s | 54 kB 00:00 (3/18): fuse3-libs-3.3.0-16.el8.x86_64.rpm 2.6 MB/s | 95 kB 00:00 (4/18): shadow-utils-subid-4.6-17.el8.x86_64.rpm 6.0 MB/s | 113 kB 00:00 (5/18): conmon-2.1.6-1.module+el8.8.0+18098+9b44df5f.x86_64.rpm 2.4 MB/s | 57 kB 00:00 (6/18): container-selinux-2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch.rpm 3.3 MB/s | 64 kB 00:00 (7/18): containers-common-1-63.module+el8.8.0+18438+15d3aa65.x86_64.rpm 6.9 MB/s | 129 kB 00:00 (8/18): criu-3.15-3.module+el8.8.0+18060+3f21f2cc.x86_64.rpm 23 MB/s | 518 kB 00:00 (9/18): fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64.rpm 4.7 MB/s | 74 kB 00:00 (10/18): libnet-1.1.6-15.el8.x86_64.rpm 4.1 MB/s | 67 kB 00:00 (11/18): libslirp-4.4.0-1.module+el8.8.0+18060+3f21f2cc.x86_64.rpm 4.3 MB/s | 70 kB 00:00 (12/18): buildah-1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64.rpm 35 MB/s | 8.8 MB 00:00 (13/18): podman-catatonit-4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64.rpm 16 MB/s | 361 kB 00:00 (14/18): protobuf-c-1.3.0-6.el8.x86_64.rpm 2.3 MB/s | 37 kB 00:00 (15/18): runc-1.1.4-1.module+el8.8.0+18060+3f21f2cc.x86_64.rpm 25 MB/s | 3.1 MB 00:00 (16/18): slirp4netns-1.2.0-2.module+el8.8.0+18060+3f21f2cc.x86_64.rpm 3.2 MB/s | 54 kB 00:00 (17/18): containernetworking-plugins-1.2.0-1.module+el8.8.0+18060+3f21f2cc.x86_64.rpm 36 MB/s | 20 MB 00:00 (18/18): podman-4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64.rpm 28 MB/s | 15 MB 00:00 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 71 MB/s | 48 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch 1/18 Installing : container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch 1/18 Running scriptlet: container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch 1/18 Installing : containernetworking-plugins-1:1.2.0-1.module+el8.8.0+18060+3f21f2cc.x86_64 2/18 Installing : fuse3-libs-3.3.0-16.el8.x86_64 3/18 Running scriptlet: fuse3-libs-3.3.0-16.el8.x86_64 3/18 Installing : protobuf-c-1.3.0-6.el8.x86_64 4/18 Installing : libslirp-4.4.0-1.module+el8.8.0+18060+3f21f2cc.x86_64 5/18 Installing : slirp4netns-1.2.0-2.module+el8.8.0+18060+3f21f2cc.x86_64 6/18 Installing : libnet-1.1.6-15.el8.x86_64 7/18 Running scriptlet: libnet-1.1.6-15.el8.x86_64 7/18 Installing : criu-3.15-3.module+el8.8.0+18060+3f21f2cc.x86_64 8/18 Installing : runc-1:1.1.4-1.module+el8.8.0+18060+3f21f2cc.x86_64 9/18 Installing : conmon-3:2.1.6-1.module+el8.8.0+18098+9b44df5f.x86_64 10/18 Installing : shadow-utils-subid-2:4.6-17.el8.x86_64 11/18 Installing : fuse-common-3.3.0-16.el8.x86_64 12/18 Installing : fuse3-3.3.0-16.el8.x86_64 13/18 Installing : fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64 14/18 Running scriptlet: fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64 14/18 Installing : containers-common-2:1-63.module+el8.8.0+18438+15d3aa65.x86_64 15/18 Installing : podman-catatonit-3:4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64 16/18 Installing : podman-3:4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64 17/18 Installing : buildah-1:1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64 18/18 Running scriptlet: container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch 18/18 Running scriptlet: buildah-1:1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64 18/18 Verifying : fuse-common-3.3.0-16.el8.x86_64 1/18 Verifying : fuse3-3.3.0-16.el8.x86_64 2/18 Verifying : fuse3-libs-3.3.0-16.el8.x86_64 3/18 Verifying : shadow-utils-subid-2:4.6-17.el8.x86_64 4/18 Verifying : buildah-1:1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64 5/18 Verifying : conmon-3:2.1.6-1.module+el8.8.0+18098+9b44df5f.x86_64 6/18 Verifying : container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch 7/18 Verifying : containernetworking-plugins-1:1.2.0-1.module+el8.8.0+18060+3f21f2cc.x86_64 8/18 Verifying : containers-common-2:1-63.module+el8.8.0+18438+15d3aa65.x86_64 9/18 Verifying : criu-3.15-3.module+el8.8.0+18060+3f21f2cc.x86_64 10/18 Verifying : fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64 11/18 Verifying : libnet-1.1.6-15.el8.x86_64 12/18 Verifying : libslirp-4.4.0-1.module+el8.8.0+18060+3f21f2cc.x86_64 13/18 Verifying : podman-3:4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64 14/18 Verifying : podman-catatonit-3:4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64 15/18 Verifying : protobuf-c-1.3.0-6.el8.x86_64 16/18 Verifying : runc-1:1.1.4-1.module+el8.8.0+18060+3f21f2cc.x86_64 17/18 Verifying : slirp4netns-1.2.0-2.module+el8.8.0+18060+3f21f2cc.x86_64 18/18 Installed products updated. Installed: buildah-1:1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64 conmon-3:2.1.6-1.module+el8.8.0+18098+9b44df5f.x86_64 container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch containernetworking-plugins-1:1.2.0-1.module+el8.8.0+18060+3f21f2cc.x86_64 containers-common-2:1-63.module+el8.8.0+18438+15d3aa65.x86_64 criu-3.15-3.module+el8.8.0+18060+3f21f2cc.x86_64 fuse-common-3.3.0-16.el8.x86_64 fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64 fuse3-3.3.0-16.el8.x86_64 fuse3-libs-3.3.0-16.el8.x86_64 libnet-1.1.6-15.el8.x86_64 libslirp-4.4.0-1.module+el8.8.0+18060+3f21f2cc.x86_64 podman-3:4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64 podman-catatonit-3:4.4.1-8.module+el8.8.0+18438+15d3aa65.x86_64 protobuf-c-1.3.0-6.el8.x86_64 runc-1:1.1.4-1.module+el8.8.0+18060+3f21f2cc.x86_64 shadow-utils-subid-2:4.6-17.el8.x86_64 slirp4netns-1.2.0-2.module+el8.8.0+18060+3f21f2cc.x86_64 Complete! [root@ci-vm-10-0-137-115 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3 Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3... Getting image source signatures Copying blob 40635c589740 done Copying blob 5d5f3559a9ea done Copying config b3041480f0 done Writing manifest to image destination Storing signatures And btw. I made sure SYS_CHROOT is present in containers.conf default_capabilities. Tom, the versioning of containers-common is OK. Jindrich, I still can't get that podman command to run on my machine, probably a local issue. Could I ask you to try running these two commands inside the container after you run that podman run command? # podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3 In the container: # buildah from ubi8 Trying to pull registry.access.redhat.com/ubi8:latest... Getting image source signatures Checking if image destination supports signatures Copying blob 6208c5a2e205 done Copying config 768688a189 done Writing manifest to image destination Storing signatures ubi8-working-container # buildah run --isolation=chroot ubi8-working-container ls / bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var This bug has been verified for buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79 with containers-common-1-64.module+el8.8.0+18571+eed59fc4. [root@kvm-01-guest11 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) [root@kvm-01-guest11 ~]# rpm -q podman buildah containers-common runc systemd kernel podman-4.4.1-10.module+el8.8.0+18555+491facf3.x86_64 buildah-1.29.1-2.module+el8.8.0+18553+8fea4d79.x86_64 containers-common-1-64.module+el8.8.0+18571+eed59fc4.x86_64 runc-1.1.4-1.module+el8.8.0+18060+3f21f2cc.x86_64 systemd-239-74.el8_8.x86_64 kernel-4.18.0-477.9.1.el8_8.x86_64 [root@kvm-01-guest11 ~]# podman run --rm --device /dev/fuse -it registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3 Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhel8-buildah:8.8-3... Getting image source signatures Copying blob 40635c589740 done Copying blob 5d5f3559a9ea done Copying config b3041480f0 done Writing manifest to image destination Storing signatures [root@12b8d0de88ca /]# rpm -q buildah containers-common fuse-overlayfs buildah-1.29.1-1.module+el8.8.0+18195+471da4bb.x86_64 containers-common-1-62.module+el8.8.0+18251+ad5b274c.x86_64 fuse-overlayfs-1.10-1.module+el8.8.0+18060+3f21f2cc.x86_64 [root@12b8d0de88ca /]# buildah from ubi8 Resolved "ubi8" as an alias (/etc/containers/registries.conf.d/001-rhel-shortnames.conf) Trying to pull registry.access.redhat.com/ubi8:latest... Getting image source signatures Checking if image destination supports signatures Copying blob 6208c5a2e205 done Copying config 768688a189 done Writing manifest to image destination Storing signatures ubi8-working-container [root@12b8d0de88ca /]# buildah ps CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME 2cb22145e5d5 * 768688a18971 registry.access.redhat.com/ub... ubi8-working-container [root@12b8d0de88ca /]# buildah run --isolation=chroot ubi8-working-container ls / bin boot dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var [root@12b8d0de88ca /]# exit exit [root@kvm-01-guest11 ~]# echo $? 0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (container-tools:rhel8 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3089 |