After updating podman from podman-5.0.0~rc2-1.fc40.x86_64 to podman-5.0.0~rc7-1.fc40.x86_64, my container no longer starts. Reproducible: Always Steps to Reproduce: 1. Ensure that you the latest podman package is installed: $ rpm -q podman podman-5.0.0~rc7-1.fc40.x86_64 2. Start the container: $ podman run --privileged --ulimit host -d -v ${HOME}/git/:/docs:rw --name ccutil quay.io/ivanhorvath/ccutil:amazing Actual Results: Error: pasta failed with exit code 1: Couldn't open network namespace /run/user/1000/netns/netns-131ad45a-a77b-8e42-564b-95aeb4c8b336: Permission denied Expected Results: Container should start (same as on F39). If I downgrade the podman package to podman-5.0.0~rc2-1.fc40.x86_64, the container starts: # dnf downgrade podman # rpm -q podman podman-5.0.0~rc2-1.fc40.x86_6 $ podman run --privileged --ulimit host -d -v ${HOME}/git/:/docs:rw --name ccutil quay.io/ivanhorvath/ccutil:amazing b918c62636b328e43b3b8682338555c84d5d69f1daff4a7eb3a1a75a85aee368
could you please retry with this passt build installed: https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749
I updated passt and passt-selinux to the versions from https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749 passt-0^20240318.g615d370-1.fc41.x86_64 passt-selinux-0^20240318.g615d370-1.fc41.noarch However, I can still not start my container with podman-5.0.0~rc7-1.
@pholzing PTAL
I think this is a selinux problem, what is the label of the podman binary (ls -Z /usr/bin/podman)? It should have the container_runtime_exec_t type. Could you show the selinux denials, if you get any?
(In reply to Paul Holzinger from comment #4) > I think this is a selinux problem, what is the label of the podman binary > (ls -Z /usr/bin/podman)? It should have the container_runtime_exec_t type. # ls -Z /usr/bin/podman system_u:object_r:bin_t:s0 /usr/bin/podman > Could you show the selinux denials, if you get any? type=AVC msg=audit(1710848692.486:787): avc: denied { setgid } for pid=20854 comm="pasta.avx2" capability=6 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 type=AVC msg=audit(1710848692.486:788): avc: denied { setgid } for pid=20854 comm="pasta.avx2" capability=6 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0 type=AVC msg=audit(1710848692.486:789): avc: denied { setuid } for pid=20854 comm="pasta.avx2" capability=7 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
FYI: The SELinux context is also bin_t for 5.0.0~rc2.
Ok yeah that is the issue then, podman should be labelled system_u:object_r:container_runtime_exec_t:s0 Not sure why podman is no longer labelled correctly in f40. > FYI: The SELinux context is also bin_t for 5.0.0~rc2. Yeah and this is also wrong, pasta was made the default in rc4 I think so you should see the issue now, but the wrong label also causes other issues even on older verisons. I cannot reproduce this on a f40 VM: # ls -Z /usr/bin/podman system_u:object_r:container_runtime_exec_t:s0 /usr/bin/podman # rpm -q podman podman-5.0.0~rc7-1.fc40.x86_64 I am not sure why that is not the case for you, do you have `container-selinux` installed? Without it it will not have the right label I think.
Marc could you please try `dnf reinstall container-selinux` and recheck the labels and the issue?
(In reply to Lokesh Mandvekar from comment #8) > Marc could you please try `dnf reinstall container-selinux` and recheck the > labels and the issue? container-selinux wasn't installed on my laptop, and I could reproduce why: This package is a weak dependency and, same as on previous Fedora versions, I have install_weak_deps=False in /etc/dnf/dnf.conf If container-selinux is mandatory, it should better be a normal dependency. After I installed container-selinux, the SELinux context is correct (container_runtime_exec_t), but now fails with a different error: $ podman run --privileged --ulimit host -d -v ${HOME}/MyData/git/:/docs:rw --name ccutil quay.io/ivanhorvath/ccutil:amazing Error: pasta failed with exit code 1: netlink: Unexpected sequence number (6 != 10) Since I updated the two passt* packages to the ones from https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749, I downgraded them to the ones that are currently in the fedora repository, but it also fails with this ^^^ error.
@dwalsh any reason container-selinux was changed to a Recommends from Requires. We are already checking for selinux-policy in the dependency. commit fc6ba2bd58b661f9f93b5f9dd190bb3eea327fb1 Author: Daniel J Walsh <dwalsh> Date: Fri Dec 16 01:32:49 2022 Change container-selinux to a recommends Signed-off-by: Daniel J Walsh <dwalsh> diff --git a/containers-common.spec b/containers-common.spec index aea1063..54e8379 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -22,7 +22,7 @@ BuildArch: noarch Summary: Common configuration and documentation for containers BuildRequires: go-md2man Provides: skopeo-containers = %{epoch}:%{version}-%{release} -Requires: (container-selinux >= 2:2.162.1 if selinux-policy) +Recommends: (container-selinux >= 2:2.162.1 if selinux-policy) Recommends: fuse-overlayfs Requires: (fuse-overlayfs if fedora-release-identity-server) # SourceN files fetched from upstream @@ -151,9 +151,9 @@ install -m0644 containers.conf %{buildroot}%{_datadir}/containers/containers.con # install secrets patch directory install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets # rhbz#1110876 - update symlinks for subscription management -ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement -ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm -ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/redhat.repo +ln -s ../../../..%{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement +ln -s ../../../..%{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm +ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/redhat.repo %files %dir %{_sysconfdir}/containers
(In reply to Marc Muehlfeld from comment #9) > $ podman run --privileged --ulimit host -d -v ${HOME}/MyData/git/:/docs:rw > --name ccutil quay.io/ivanhorvath/ccutil:amazing > Error: pasta failed with exit code 1: > netlink: Unexpected sequence number (6 != 10) > > Since I updated the two passt* packages to the ones from > https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749, I downgraded > them to the ones that are currently in the fedora repository, but it also > fails with this ^^^ error. see https://github.com/containers/podman/issues/22052, a fix should be in https://bodhi.fedoraproject.org/updates/FEDORA-2024-3deab8ca81 please test that and let us know if this works for you
(In reply to Paul Holzinger from comment #11) > (In reply to Marc Muehlfeld from comment #9) > > $ podman run --privileged --ulimit host -d -v ${HOME}/MyData/git/:/docs:rw > > --name ccutil quay.io/ivanhorvath/ccutil:amazing > > Error: pasta failed with exit code 1: > > netlink: Unexpected sequence number (6 != 10) > > > > Since I updated the two passt* packages to the ones from > > https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749, I downgraded > > them to the ones that are currently in the fedora repository, but it also > > fails with this ^^^ error. > > see https://github.com/containers/podman/issues/22052, a fix should be in > https://bodhi.fedoraproject.org/updates/FEDORA-2024-3deab8ca81 > please test that and let us know if this works for you This fixes the problem and the container starts with podman 5.0.0~rc7. Thanks.
Installing podman is installed within a container or onto a system without SELinux enabled, was the thinking. I know it checks if selinux-policy is installed but this does not take into account whether or not it is needed. If it is deemed necessary to change it back to requires, I would be fine with that.
Hi Marc, I'm a pasta developer debugging (amongst other things) the problem you've reported in comment 9. We haven't yet managed to reproduce it locally, and most of the occurrences we've seen have been in difficult to debug CI environments. I'm hoping you can help us out with some additional debugging information. Some basics to start with: 1. Do you get the same error if you manually run: $ pasta --config-net --no-map-gw -- /bin/true in your environment? 2. If so, could you run $ strace -o pasta-sequence-mismatch.log -s 8192 -f -- pasta --config-net --no-map-gw -- /bin/true then send me the pasta-sequence-mismatch.log file? You can reply either here, or in the upstream pasta bug I created for this problem: https://bugs.passt.top/show_bug.cgi?id=83
Marc, Sorry for the noise. I just managed to reproduce the problem and I have a working theory. Working on a fix now.
I've made what I think is a fix for this bug here: https://gitlab.com/dgibson/passt/-/tree/bug83?ref_type=heads If you're able to test that, Marc, that would be great. I'm in the process of working towards a release.
> I've made what I think is a fix for this bug here: https://gitlab.com/dgibson/passt/-/tree/bug83?ref_type=heads. David, I don't know if anything else is needed for what I reported in #c9. This problem was gone after I updated the passt and passt-selinux packages to the ones in https://bodhi.fedoraproject.org/updates/FEDORA-2024-3deab8ca81. With these packages, I can also successfully run "pasta --config-net --no-map-gw -- /bin/true" (no output, exit code = 0). > If you're able to test that, Marc, that would be great. Sorry, I can't test it from the source code, but I can test it if you create an RPM for F40.
Packages for F40 and Rawhid have now been made. I'm not entirely sure how far they're through the build and deploy process though. Regardless, they should be there soon and other idications seem to be that the problem is now fixed.
This morning, dnf updated the two passt* packages to: passt-0^20240320.g71dd405-1.fc40.x86_64 passt-selinux-0^20240320.g71dd405-1.fc40.noarch Everything seems to work as expected. Thanks.
passt-0^20240320.g71dd405-1.fc40 landed in stable: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f5dc59f8ca