Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1012030: podman: Fails to run any container
896 views
Skip to first unread message
Vicente Olivert Riera
May 28, 2022, 11:50:03 PM5/28/22
to
Package: podman
Version: 3.0.1+dfsg1-3+deb11u1
Severity: important
X-Debbugs-Cc: vincent.ol...@gmail.com
Dear Maintainer,
Podman has stopped working (atleast for me) without having modified anything
from its configuration. I simply try to run 'bash' from a Debian container, and
it crashes like this:
$ podman run --rm -it debian bash
Resolved "debian" as an alias
(/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/debian:latest...
Getting image source signatures
Copying blob e756f3fdd6a3 done
Copying config 4eacea3037 done
Writing manifest to image destination
Storing signatures
Error: container_linux.go:367: starting container process caused: error adding
seccomp filter rule for syscall bdflush: permission denied: OCI permission
denied
$
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-14-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages podman depends on:
ii conmon 2.0.25+ds1-1.1
ii containernetworking-plugins 0.9.0-1+b6
ii golang-github-containers-common 0.33.4+ds1-1+deb11u1
ii init-system-helpers 1.60
ii iptables 1.8.7-1
ii libc6 2.31-13+deb11u3
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgpgme11 1.14.0-1+b2
ii libseccomp2 2.5.1-1+deb11u1
ii runc 1.0.0~rc93+ds1-5+b2
Versions of packages podman recommends:
ii buildah 1.19.6+dfsg1-1+b6
ii fuse-overlayfs 1.4.0-1
ii golang-github-containernetworking-plugin-dnsname 1.1.1+ds1-4+b7
ii slirp4netns 1.0.1-2
ii tini 0.19.0-1
ii uidmap 1:4.8.1-1
Versions of packages podman suggests:
pn containers-storage <none>
pn docker-compose <none>
Version: 3.0.1+dfsg1-3+deb11u1
Severity: important
X-Debbugs-Cc: vincent.ol...@gmail.com
Dear Maintainer,
Podman has stopped working (atleast for me) without having modified anything
from its configuration. I simply try to run 'bash' from a Debian container, and
it crashes like this:
$ podman run --rm -it debian bash
Resolved "debian" as an alias
(/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/debian:latest...
Getting image source signatures
Copying blob e756f3fdd6a3 done
Copying config 4eacea3037 done
Writing manifest to image destination
Storing signatures
Error: container_linux.go:367: starting container process caused: error adding
seccomp filter rule for syscall bdflush: permission denied: OCI permission
denied
$
-- System Information:
Debian Release: 11.3
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-14-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages podman depends on:
ii conmon 2.0.25+ds1-1.1
ii containernetworking-plugins 0.9.0-1+b6
ii golang-github-containers-common 0.33.4+ds1-1+deb11u1
ii init-system-helpers 1.60
ii iptables 1.8.7-1
ii libc6 2.31-13+deb11u3
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgpgme11 1.14.0-1+b2
ii libseccomp2 2.5.1-1+deb11u1
ii runc 1.0.0~rc93+ds1-5+b2
Versions of packages podman recommends:
ii buildah 1.19.6+dfsg1-1+b6
ii fuse-overlayfs 1.4.0-1
ii golang-github-containernetworking-plugin-dnsname 1.1.1+ds1-4+b7
ii slirp4netns 1.0.1-2
ii tini 0.19.0-1
ii uidmap 1:4.8.1-1
Versions of packages podman suggests:
pn containers-storage <none>
pn docker-compose <none>
Reinhard Tartler
May 30, 2022, 3:40:04 PM5/30/22
to
I wonder whether this may be related to upstream report at https://github.com/containers/common/issues/631
It seems that in debian/bullseye, podman is only able to work in crun, since the version of runc we have in stable seems to have issues with seccomp. Can you please try the following for me with both crun and runc installed:
root@pve:~# podman run --runtime runc --security-opt=seccomp=unconfined --rm -it debian date
Mon May 30 19:18:05 UTC 2022
Mon May 30 19:18:05 UTC 2022
That does appear to work at least on my system.
This might indicate that this is actually a change that needs to go into golang-github-containers-common then...
On Mon, May 30, 2022 at 9:15 AM Vicente Olivert Riera <vincent.ol...@gmail.com> wrote:
I've found the problem appears to be between podman and runc.
I have runc installed in my system because I also use docker.io, and
that package depends on it.
runc is also a dependency of podman, so podman uses it. However, podman
can also use crun. But, since runc was already installed, and podman can
depend on either of them, crun was not installed as a dependecy.
Now, if I manually install crun, podman works again and the error is
gone. I think if podman finds that crun is installed, it will use it.
Otherwise it will use runc as a fallback.
Since both runc and crun packages can coexist in the system, I think a
quick fix could be removing the runc dependency on podman, so it will
always pull in crun as a dependency. At least until the root cause of
this problem is found and fixed.
regards,
Reinhard
Reinhard
Shengjing Zhu
May 31, 2022, 12:20:03 AM5/31/22
to
On Tue, May 31, 2022 at 3:33 AM Reinhard Tartler <sire...@gmail.com> wrote:
>
>
> I wonder whether this may be related to upstream report at https://github.com/containers/common/issues/631
>
> It seems that in debian/bullseye, podman is only able to work in crun, since the version of runc we have in stable seems to have issues with seccomp. Can you please try the following for me with both crun and runc installed:
>
> root@pve:~# podman run --runtime runc --security-opt=seccomp=unconfined --rm -it debian date
> Mon May 30 19:18:05 UTC 2022
>
> That does appear to work at least on my system.
>
> This might indicate that this is actually a change that needs to go into golang-github-containers-common then...
>
If I read the issue correctly, it's because in the last stable update,
>
>
> I wonder whether this may be related to upstream report at https://github.com/containers/common/issues/631
>
> It seems that in debian/bullseye, podman is only able to work in crun, since the version of runc we have in stable seems to have issues with seccomp. Can you please try the following for me with both crun and runc installed:
>
> root@pve:~# podman run --runtime runc --security-opt=seccomp=unconfined --rm -it debian date
> Mon May 30 19:18:05 UTC 2022
>
> That does appear to work at least on my system.
>
> This might indicate that this is actually a change that needs to go into golang-github-containers-common then...
>
the defaultErrnoRet feature is backported. However runc doesn't
support it until v1.0.0-rc95(stable has rc93). I don't think runc will
get feature backports in stable. So probably only crun can be used by
podman now in stable.
--
Shengjing Zhu
Reinhard Tartler
Jun 12, 2022, 4:30:03 PM6/12/22
to
Control: reassign -1 runc 1.0.0~rc93+ds1
Shengjing, you are right (as always),
I can confirm that backporting this patch does fix this issue: https://salsa.debian.org/go-team/packages/runc/-/commit/1d73689985b29ec5b8477dbc6df8004aa09771d1
I'll upload to stable and request it to be unblocked shortly.
regards,
Reinhard
Reinhard
0 new messages