Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1007022: podman: starting rootless container fails with: can't get final child's PID from pipe: EOF
2,354 views
Skip to first unread message
Gabriel Filion
Mar 10, 2022, 2:00:03 PM3/10/22
to
Package: podman
Version: 3.4.4+ds1-1
Severity: normal
Hello,
I used to be able to run rootless container on debian sid maybe 3 months ago
(I'm sorry, I don't have much more precise information about versions when
things used to work), but now that I try and start containers again I am
consistently hitting errors of this form:
$ podman run -d --name="draw" -p 8080:8080 -p 8443:8443 fjudith/draw.io
Error: OCI runtime error: unable to start container "0f2eb8afb9ce6eebbede769dc288e228ea6cbae0e76936672e6673228ac6862c": runc create failed: unable to start container process: can't get final child's PID from pipe: EOF
so no container will start at all in rootless mode
for information, the images required for running the containers were correctly
downloaded and are available locally.
I've tried to search for information about this online but the cause for this
particular error message can seemingly be very varied. The usual answers about
the user.max_user_namespaces kernel option, or memory allocation settings for
images/containers seem not to hold in this case.
if I run the container as root with:
# sudo podman run -d --name="draw" -p 8080:8080 -p 8443:8443 fjudith/draw.io
then it's getting started as expected.
I'm not sure what additional information could be helpful, but I'm willing to
send more output from logs/commands to help out identify what's happening.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.utf8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages podman depends on:
ii conmon 2.0.25+ds1-1.1
ii containernetworking-plugins 1.1.0+ds1-1
ii golang-github-containers-common 0.44.4+ds1-1
ii init-system-helpers 1.62
ii libc6 2.33-7
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgpgme11 1.16.0-1.2
ii libseccomp2 2.5.3-2
ii runc 1.1.0+ds1-1
Versions of packages podman recommends:
ii buildah 1.23.1+ds1-2
ii fuse-overlayfs 1.7.1-1
ii golang-github-containernetworking-plugin-dnsname 1.3.1+ds1-2
ii slirp4netns 1.0.1-2
ii tini 0.19.0-1
ii uidmap 1:4.11.1+dfsg1-2
Versions of packages podman suggests:
pn containers-storage <none>
ii docker-compose 1.29.2-1
ii iptables 1.8.7-1
-- Configuration Files:
/etc/cni/net.d/87-podman-bridge.conflist [Errno 13] Permission denied: '/etc/cni/net.d/87-podman-bridge.conflist'
-- no debconf information
Version: 3.4.4+ds1-1
Severity: normal
Hello,
I used to be able to run rootless container on debian sid maybe 3 months ago
(I'm sorry, I don't have much more precise information about versions when
things used to work), but now that I try and start containers again I am
consistently hitting errors of this form:
$ podman run -d --name="draw" -p 8080:8080 -p 8443:8443 fjudith/draw.io
Error: OCI runtime error: unable to start container "0f2eb8afb9ce6eebbede769dc288e228ea6cbae0e76936672e6673228ac6862c": runc create failed: unable to start container process: can't get final child's PID from pipe: EOF
so no container will start at all in rootless mode
for information, the images required for running the containers were correctly
downloaded and are available locally.
I've tried to search for information about this online but the cause for this
particular error message can seemingly be very varied. The usual answers about
the user.max_user_namespaces kernel option, or memory allocation settings for
images/containers seem not to hold in this case.
if I run the container as root with:
# sudo podman run -d --name="draw" -p 8080:8080 -p 8443:8443 fjudith/draw.io
then it's getting started as expected.
I'm not sure what additional information could be helpful, but I'm willing to
send more output from logs/commands to help out identify what's happening.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.utf8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages podman depends on:
ii conmon 2.0.25+ds1-1.1
ii containernetworking-plugins 1.1.0+ds1-1
ii golang-github-containers-common 0.44.4+ds1-1
ii init-system-helpers 1.62
ii libc6 2.33-7
ii libdevmapper1.02.1 2:1.02.175-2.1
ii libgpgme11 1.16.0-1.2
ii libseccomp2 2.5.3-2
ii runc 1.1.0+ds1-1
Versions of packages podman recommends:
ii buildah 1.23.1+ds1-2
ii fuse-overlayfs 1.7.1-1
ii golang-github-containernetworking-plugin-dnsname 1.3.1+ds1-2
ii slirp4netns 1.0.1-2
ii tini 0.19.0-1
ii uidmap 1:4.11.1+dfsg1-2
Versions of packages podman suggests:
pn containers-storage <none>
ii docker-compose 1.29.2-1
ii iptables 1.8.7-1
-- Configuration Files:
/etc/cni/net.d/87-podman-bridge.conflist [Errno 13] Permission denied: '/etc/cni/net.d/87-podman-bridge.conflist'
-- no debconf information
Adam Williamson
Mar 21, 2022, 9:40:03 PM3/21/22
to
Just reporting I found the same problem on Fedora 36. Filed here:
https://bugzilla.redhat.com/show_bug.cgi?id=2066527 .
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net
https://bugzilla.redhat.com/show_bug.cgi?id=2066527 .
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net
Gabriel Filion
Apr 16, 2022, 2:30:03 PM4/16/22
to
Hi,
On Mon, 21 Mar 2022 18:25:33 -0700 Adam Williamson <awil...@redhat.com>
wrote:
Following information from the redhat bug report, I've tried this on my
computer which actually fixed the situation for me (so it is a workaround):
1. apt install crun
2. use podman to destroy my rootless containers
3. re-create the rootless containers and start them
The crun package was not installed, apparently because it's a
"either/or" dependency for podman and "runc" was installed here.
Now I have both runc *and* crun installed. I don't know if I need both,
but seeing as containers run as my non-root user as it currently is I
won't change anything..
Cheers!
On Mon, 21 Mar 2022 18:25:33 -0700 Adam Williamson <awil...@redhat.com>
wrote:
> Just reporting I found the same problem on Fedora 36. Filed here:
> https://bugzilla.redhat.com/show_bug.cgi?id=2066527 .
Thanks for this added information!
> https://bugzilla.redhat.com/show_bug.cgi?id=2066527 .
Following information from the redhat bug report, I've tried this on my
computer which actually fixed the situation for me (so it is a workaround):
1. apt install crun
2. use podman to destroy my rootless containers
3. re-create the rootless containers and start them
The crun package was not installed, apparently because it's a
"either/or" dependency for podman and "runc" was installed here.
Now I have both runc *and* crun installed. I don't know if I need both,
but seeing as containers run as my non-root user as it currently is I
won't change anything..
Cheers!
Arnaud Rebillout
May 19, 2022, 11:00:03 PM5/19/22
to
I can reproduce it locally.
For background: I just setup a new machine, and I installed both
docker.io and podman. Since docker.io depends on runc, and podman
depends on crun|runc, only runc was installed.
The issue is fixed after installing crun manually (note that both runc
and crun can be installed on the system, it doesn't seem to cause any
issue).
Cheers,
Arnaud
For background: I just setup a new machine, and I installed both
docker.io and podman. Since docker.io depends on runc, and podman
depends on crun|runc, only runc was installed.
The issue is fixed after installing crun manually (note that both runc
and crun can be installed on the system, it doesn't seem to cause any
issue).
Cheers,
Arnaud
Shengjing Zhu
Jun 19, 2022, 3:40:06 AM6/19/22
to
On Fri, Mar 11, 2022 at 2:51 AM Gabriel Filion <gab...@lelutin.ca> wrote:
>
> Package: podman
> Version: 3.4.4+ds1-1
> Severity: normal
>
> Hello,
>
> I used to be able to run rootless container on debian sid maybe 3 months ago
> (I'm sorry, I don't have much more precise information about versions when
> things used to work), but now that I try and start containers again I am
> consistently hitting errors of this form:
>
> $ podman run -d --name="draw" -p 8080:8080 -p 8443:8443 fjudith/draw.io
> Error: OCI runtime error: unable to start container "0f2eb8afb9ce6eebbede769dc288e228ea6cbae0e76936672e6673228ac6862c": runc create failed: unable to start container process: can't get final child's PID from pipe: EOF
>
Can someone checks if you still fail to run rootless container with
>
> Package: podman
> Version: 3.4.4+ds1-1
> Severity: normal
>
> Hello,
>
> I used to be able to run rootless container on debian sid maybe 3 months ago
> (I'm sorry, I don't have much more precise information about versions when
> things used to work), but now that I try and start containers again I am
> consistently hitting errors of this form:
>
> $ podman run -d --name="draw" -p 8080:8080 -p 8443:8443 fjudith/draw.io
> Error: OCI runtime error: unable to start container "0f2eb8afb9ce6eebbede769dc288e228ea6cbae0e76936672e6673228ac6862c": runc create failed: unable to start container process: can't get final child's PID from pipe: EOF
>
runc and podman 4.1?
I think it's because
https://github.com/containers/podman/issues/13731, which is fixed in
podman 4.1.
And it's caused by systemd 250 which changes OOMScoreAdjust in user@.service
--
Shengjing Zhu
Gabriel Filion
Jun 19, 2022, 2:00:04 PM6/19/22
to
Hi again,
On 2022-06-19 03:28, Shengjing Zhu wrote:
>> I used to be able to run rootless container on debian sid maybe 3 months ago
>> (I'm sorry, I don't have much more precise information about versions when
>> things used to work), but now that I try and start containers again I am
>> consistently hitting errors of this form:
>>
>> $ podman run -d --name="draw" -p 8080:8080 -p 8443:8443 fjudith/draw.io
>> Error: OCI runtime error: unable to start container "0f2eb8afb9ce6eebbede769dc288e228ea6cbae0e76936672e6673228ac6862c": runc create failed: unable to start container process: can't get final child's PID from pipe: EOF
>>
> Can someone checks if you still fail to run rootless container with
> runc and podman 4.1?
>
> I think it's because
> https://github.com/containers/podman/issues/13731, which is fixed in
> podman 4.1.
> And it's caused by systemd 250 which changes OOMScoreAdjust inuser@.service
For an added tidbit of information, I am under the impression that I
need the "crun" package because of this configuration:
$ podman info
[...]
ociRuntime:
name: crun
package: 'crun: /usr/bin/crun'
path: /usr/bin/crun
Although I tried changing that by creating a file
~/.config/containers/containers.conf with this:
[engine]
runtime = "runc"
and then I had to remove currently existing containers to recreate them.
and although "podman info" and "podman container inspect ..." show me
that runc should now be used, I'm still getting the error above. So I
don't know how to get containers to run with runc.
Is it possible that podman has changed its default runtime to crun? In
this case, would it make more sense for the podman debian package to
depend on crun by default instead of runc?
On 2022-06-19 03:28, Shengjing Zhu wrote:
>> I used to be able to run rootless container on debian sid maybe 3 months ago
>> (I'm sorry, I don't have much more precise information about versions when
>> things used to work), but now that I try and start containers again I am
>> consistently hitting errors of this form:
>>
>> $ podman run -d --name="draw" -p 8080:8080 -p 8443:8443 fjudith/draw.io
>> Error: OCI runtime error: unable to start container "0f2eb8afb9ce6eebbede769dc288e228ea6cbae0e76936672e6673228ac6862c": runc create failed: unable to start container process: can't get final child's PID from pipe: EOF
>>
> Can someone checks if you still fail to run rootless container with
> runc and podman 4.1?
>
> I think it's because
> https://github.com/containers/podman/issues/13731, which is fixed in
> podman 4.1.
> And it's caused by systemd 250 which changes OOMScoreAdjust inuser@.service
need the "crun" package because of this configuration:
$ podman info
[...]
ociRuntime:
name: crun
package: 'crun: /usr/bin/crun'
path: /usr/bin/crun
Although I tried changing that by creating a file
~/.config/containers/containers.conf with this:
[engine]
runtime = "runc"
and then I had to remove currently existing containers to recreate them.
and although "podman info" and "podman container inspect ..." show me
that runc should now be used, I'm still getting the error above. So I
don't know how to get containers to run with runc.
Is it possible that podman has changed its default runtime to crun? In
this case, would it make more sense for the podman debian package to
depend on crun by default instead of runc?
Arnaud Rebillout
Jun 20, 2022, 10:00:04 AM6/20/22
to
Hi Shengjing,
On Sun, 19 Jun 2022 15:28:32 +0800 Shengjing Zhu <zh...@debian.org> wrote:
> Can someone checks if you still fail to run rootless container with
> runc and podman 4.1?
>
> I think it's because
> https://github.com/containers/podman/issues/13731, which is fixed in
> podman 4.1.
> And it's caused by systemd 250 which changes OOMScoreAdjust in
user@.service
I just tried, and it seems that indeed, podman 4.1 fixes the issue. Here
are the steps I followed:
1) I removed the package crun, so that I only have runc installed:
$ sudo apt purge crun
2) From this point, I can reproduce the issue:
$ podman run --rm -it kali-rolling
Error: OCI runtime error: runc create failed: unable to start
$ sudo apt install -t experimental podman
Get:1 http://deb.debian.org/debian experimental/main amd64
golang-github-containers-common all 0.48.0+ds1-1 [34.5 kB]
Get:2 http://deb.debian.org/debian experimental/main amd64 podman
amd64 4.1.0+ds2-2 [9,997 kB]
Get:3 http://deb.debian.org/debian experimental/main amd64 buildah
amd64 1.26.1+ds1-1 [6,041 kB]
4) Tried to run podman rootless again:
$ podman run --rm -it kali-rolling
┌──(root㉿633e94a0ebde)-[/]
└─#
It works!
Thanks,
--
Arnaud Rebillout / Offensive Security / Kali Linux Developer
On Sun, 19 Jun 2022 15:28:32 +0800 Shengjing Zhu <zh...@debian.org> wrote:
> Can someone checks if you still fail to run rootless container with
> runc and podman 4.1?
>
> I think it's because
> https://github.com/containers/podman/issues/13731, which is fixed in
> podman 4.1.
> And it's caused by systemd 250 which changes OOMScoreAdjust in
user@.service
are the steps I followed:
1) I removed the package crun, so that I only have runc installed:
$ sudo apt purge crun
2) From this point, I can reproduce the issue:
$ podman run --rm -it kali-rolling
Error: OCI runtime error: runc create failed: unable to start
container process: can't get final child's PID from pipe: EOF
3) Now I install podman from experimental:
$ sudo apt install -t experimental podman
Get:1 http://deb.debian.org/debian experimental/main amd64
golang-github-containers-common all 0.48.0+ds1-1 [34.5 kB]
Get:2 http://deb.debian.org/debian experimental/main amd64 podman
amd64 4.1.0+ds2-2 [9,997 kB]
Get:3 http://deb.debian.org/debian experimental/main amd64 buildah
amd64 1.26.1+ds1-1 [6,041 kB]
4) Tried to run podman rootless again:
$ podman run --rm -it kali-rolling
┌──(root㉿633e94a0ebde)-[/]
└─#
It works!
Thanks,
--
Arnaud Rebillout / Offensive Security / Kali Linux Developer
0 new messages