could you please retry with this passt build installed: https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749

I updated passt and passt-selinux to the versions from https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749
passt-0^20240318.g615d370-1.fc41.x86_64
passt-selinux-0^20240318.g615d370-1.fc41.noarch

However, I can still not start my container with podman-5.0.0~rc7-1.

@pholzing PTAL

I think this is a selinux problem, what is the label of the podman binary (ls -Z /usr/bin/podman)? It should have the container_runtime_exec_t type.
Could you show the selinux denials, if you get any?

(In reply to Paul Holzinger from comment #4)
> I think this is a selinux problem, what is the label of the podman binary
> (ls -Z /usr/bin/podman)? It should have the container_runtime_exec_t type.

# ls -Z /usr/bin/podman
system_u:object_r:bin_t:s0 /usr/bin/podman



> Could you show the selinux denials, if you get any?

type=AVC msg=audit(1710848692.486:787): avc:  denied  { setgid } for  pid=20854 comm="pasta.avx2" capability=6  scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
type=AVC msg=audit(1710848692.486:788): avc:  denied  { setgid } for  pid=20854 comm="pasta.avx2" capability=6  scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
type=AVC msg=audit(1710848692.486:789): avc:  denied  { setuid } for  pid=20854 comm="pasta.avx2" capability=7  scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0

FYI: The SELinux context is also bin_t for 5.0.0~rc2.

Ok yeah that is the issue then, podman should be labelled system_u:object_r:container_runtime_exec_t:s0

Not sure why podman is no longer labelled correctly in f40.

> FYI: The SELinux context is also bin_t for 5.0.0~rc2.

Yeah and this is also wrong, pasta was made the default in rc4 I think so you should see the issue now, but the wrong label also causes other issues even on older verisons.


I cannot reproduce this on a f40 VM:
# ls -Z /usr/bin/podman 
system_u:object_r:container_runtime_exec_t:s0 /usr/bin/podman
# rpm -q podman
podman-5.0.0~rc7-1.fc40.x86_64


I am not sure why that is not the case for you, do you have `container-selinux` installed? Without it it will not have the right label I think.

Marc could you please try `dnf reinstall container-selinux` and recheck the labels and the issue?

(In reply to Lokesh Mandvekar from comment #8)
> Marc could you please try `dnf reinstall container-selinux` and recheck the
> labels and the issue?

container-selinux wasn't installed on my laptop, and I could reproduce why:
This package is a weak dependency and, same as on previous Fedora versions, I have install_weak_deps=False in /etc/dnf/dnf.conf

If container-selinux is mandatory, it should better be a normal dependency.




After I installed container-selinux, the SELinux context is correct (container_runtime_exec_t), but now fails with a different error:

$ podman run --privileged --ulimit host -d -v ${HOME}/MyData/git/:/docs:rw --name ccutil quay.io/ivanhorvath/ccutil:amazing
Error: pasta failed with exit code 1:
netlink: Unexpected sequence number (6 != 10)

Since I updated the two passt* packages to the ones from https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749, I downgraded them to the ones that are currently in the fedora repository, but it also fails with this ^^^ error.

@dwalsh any reason container-selinux was changed to a Recommends from Requires. We are already checking for selinux-policy in the dependency.

commit fc6ba2bd58b661f9f93b5f9dd190bb3eea327fb1
Author: Daniel J Walsh <dwalsh>
Date:   Fri Dec 16 01:32:49 2022

    Change container-selinux to a recommends
    
    Signed-off-by: Daniel J Walsh <dwalsh>

diff --git a/containers-common.spec b/containers-common.spec
index aea1063..54e8379 100644
--- a/containers-common.spec
+++ b/containers-common.spec
@@ -22,7 +22,7 @@ BuildArch: noarch
 Summary: Common configuration and documentation for containers
 BuildRequires: go-md2man
 Provides: skopeo-containers = %{epoch}:%{version}-%{release}
-Requires: (container-selinux >= 2:2.162.1 if selinux-policy)
+Recommends: (container-selinux >= 2:2.162.1 if selinux-policy)
 Recommends: fuse-overlayfs
 Requires: (fuse-overlayfs if fedora-release-identity-server)
 # SourceN files fetched from upstream
@@ -151,9 +151,9 @@ install -m0644 containers.conf %{buildroot}%{_datadir}/containers/containers.con
 # install secrets patch directory
 install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets
 # rhbz#1110876 - update symlinks for subscription management
-ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement
-ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm
-ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/redhat.repo
+ln -s ../../../..%{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement
+ln -s ../../../..%{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm
+ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/redhat.repo

 %files
 %dir %{_sysconfdir}/containers

(In reply to Marc Muehlfeld from comment #9)


> $ podman run --privileged --ulimit host -d -v ${HOME}/MyData/git/:/docs:rw
> --name ccutil quay.io/ivanhorvath/ccutil:amazing
> Error: pasta failed with exit code 1:
> netlink: Unexpected sequence number (6 != 10)
> 
> Since I updated the two passt* packages to the ones from
> https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749, I downgraded
> them to the ones that are currently in the fedora repository, but it also
> fails with this ^^^ error.

see https://github.com/containers/podman/issues/22052, a fix should be in https://bodhi.fedoraproject.org/updates/FEDORA-2024-3deab8ca81
please test that and let us know if this works for you

(In reply to Paul Holzinger from comment #11)
> (In reply to Marc Muehlfeld from comment #9)
> > $ podman run --privileged --ulimit host -d -v ${HOME}/MyData/git/:/docs:rw
> > --name ccutil quay.io/ivanhorvath/ccutil:amazing
> > Error: pasta failed with exit code 1:
> > netlink: Unexpected sequence number (6 != 10)
> > 
> > Since I updated the two passt* packages to the ones from
> > https://bodhi.fedoraproject.org/updates/FEDORA-2024-4b5b35a749, I downgraded
> > them to the ones that are currently in the fedora repository, but it also
> > fails with this ^^^ error.
> 
> see https://github.com/containers/podman/issues/22052, a fix should be in
> https://bodhi.fedoraproject.org/updates/FEDORA-2024-3deab8ca81
> please test that and let us know if this works for you

This fixes the problem and the container starts with podman 5.0.0~rc7. Thanks.

Installing podman is installed within a container or onto a system without SELinux enabled, was the thinking.  I know it checks if selinux-policy is installed
but this does not take into account whether or not it is needed.

If it is deemed necessary to change it back to requires, I would be fine with that.

Hi Marc,

I'm a pasta developer debugging (amongst other things) the problem you've reported in comment 9.  We haven't yet managed to reproduce it locally, and most of the occurrences we've seen have been in difficult to debug CI environments.  I'm hoping you can help us out with some additional debugging information.

Some basics to start with:
  1. Do you get the same error if you manually run:
        $ pasta --config-net --no-map-gw -- /bin/true
     in your environment?
  2. If so, could you run
        $ strace -o pasta-sequence-mismatch.log -s 8192 -f -- pasta --config-net --no-map-gw -- /bin/true
     then send me the pasta-sequence-mismatch.log file?

You can reply either here, or in the upstream pasta bug I created for this problem: https://bugs.passt.top/show_bug.cgi?id=83

Marc,

Sorry for the noise.  I just managed to reproduce the problem and I have a working theory.  Working on a fix now.

I've made what I think is a fix for this bug here: https://gitlab.com/dgibson/passt/-/tree/bug83?ref_type=heads

If you're able to test that, Marc, that would be great.

I'm in the process of working towards a release.

> I've made what I think is a fix for this bug here: https://gitlab.com/dgibson/passt/-/tree/bug83?ref_type=heads.

David, I don't know if anything else is needed for what I reported in #c9. This problem was gone after I updated the passt and passt-selinux packages to the ones in https://bodhi.fedoraproject.org/updates/FEDORA-2024-3deab8ca81. With these packages, I can also successfully run "pasta --config-net --no-map-gw -- /bin/true" (no output, exit code = 0).


> If you're able to test that, Marc, that would be great.

Sorry, I can't test it from the source code, but I can test it if you create an RPM for F40.

Packages for F40 and Rawhid have now been made.  I'm not entirely sure how far they're through the build and deploy process though.  Regardless, they should be there soon and other idications seem to be that the problem is now fixed.

This morning, dnf updated the two passt* packages to:

passt-0^20240320.g71dd405-1.fc40.x86_64
passt-selinux-0^20240320.g71dd405-1.fc40.noarch

Everything seems to work as expected. Thanks.

passt-0^20240320.g71dd405-1.fc40 landed in stable: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f5dc59f8ca