Error: error opening "/etc/cni/net.d/cni.lock": permission denied

[djarbz]

I'm not sure if this is an issue with your build, upstream, or with my host. I'm using podman v4 as in the ticket I just closed out for my rootlessport issue.

test@2006-ct:~$ podman info
WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers 
Error: error opening "/etc/cni/net.d/cni.lock": permission denied

[hswong3i]

I am studying https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md and let's see if any else missing from our repo toolchain?

• cgroup V2 support
  • Your kernel need to boot with cgroupv2 support
  • We already have crun in repo, and usually default with it
• Install slirp4netns
  • Ok I just package it for most repo: https://build.opensuse.org/package/show/home:alvistack/rootless-containers-slirp4netns-1.1.12
  • May also package https://gitlab.freedesktop.org/slirp/libslirp so every OS could compile with slirp4netns-1.1.12
• Ensure fuse-overlayfs is installed
  • We already have fuse-overlayfs in repo, and usually default with it

IMHO remaining setup are most likely individual installation independent configuration; since this Ansible Role target for fail-safe best default only (and avoid additional manual configuration if possible), I am not going to include rootless container default into this role.

Again, my general recommendation: since cgroup V2 support is NOT generally available for most OS (e.g. with Fedora >= 31, with Kernel >= 4.15, etc etc etc...), from today point of view using sudo podman could be most simple solution :-(

[djarbz]

From what I can tell, Debian 11 does support cgroupv2.

ansible@2006-ct:~$ ls /sys/fs/cgroup
cgroup.controllers      cgroup.subtree_control  cpu.uclamp.min         cpuset.mems.effective     hugetlb.1GB.rsvd.current  hugetlb.2MB.rsvd.max  memory.current       memory.numa_stat     memory.swap.max  rdma.max
cgroup.events           cgroup.threads          cpu.weight             dev-hugepages.mount       hugetlb.1GB.rsvd.max      init.scope            memory.events        memory.oom.group     misc.current     system.slice
cgroup.freeze           cgroup.type             cpu.weight.nice        dev-mqueue.mount          hugetlb.2MB.current       io.max                memory.events.local  memory.pressure      misc.max         user.slice
cgroup.max.depth        cpu.max                 cpuset.cpus            hugetlb.1GB.current       hugetlb.2MB.events        io.pressure           memory.high          memory.stat          pids.current
cgroup.max.descendants  cpu.pressure            cpuset.cpus.effective  hugetlb.1GB.events        hugetlb.2MB.events.local  io.stat               memory.low           memory.swap.current  pids.events
cgroup.procs            cpu.stat                cpuset.cpus.partition  hugetlb.1GB.events.local  hugetlb.2MB.max           io.weight             memory.max           memory.swap.events   pids.max
cgroup.stat             cpu.uclamp.max          cpuset.mems            hugetlb.1GB.max           hugetlb.2MB.rsvd.current  libpod_parent         memory.min           memory.swap.high     rdma.current

I did not have the fuse-overlayfs packaged installed, so I tired installing that with no luck. Rootless podman does work with the Debian 11 provided Podman package, it is just outdated, so I don't see why updating to v4 should make it not work. I'm sure there is just something missing from my setup.

I know your repository has a bunch of packages needed for the Ansible integration for this Git repository, is there a list of all packages I need to install from your repo just to get Podman working?

[djarbz]

Hello @hswong3i

It appears that you are shipping an incorrect containers.conf with your Podman build.

According to this #13402 (comment), /usr/share/containers/containers.conf should have all fields commented out.

ansible@2006-ct:~$ egrep -v "^#|^$" /usr/share/containers/containers.conf 
[containers]
default_capabilities = [
    "AUDIT_WRITE",
    "CHOWN",
    "DAC_OVERRIDE",
    "FOWNER",
    "FSETID",
    "KILL",
    "MKNOD",
    "NET_BIND_SERVICE",
    "NET_RAW",
    "SETFCAP",
    "SETGID",
    "SETPCAP",
    "SETUID",
    "SYS_CHROOT",
]
default_sysctls = [
    "net.ipv4.ping_group_range=0 0",
]
env = [
    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "TERM=xterm",
]
seccomp_profile = "/usr/share/containers/seccomp.json"
[secrets]
[secrets.opts]
[network]
cni_plugin_dirs = [
    "/usr/local/libexec/cni",
    "/usr/libexec/cni",
    "/usr/local/lib/cni",
    "/usr/lib/cni",
    "/opt/cni/bin",
]
[engine]
conmon_env_vars = [
    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "TERM=xterm",
]
env = [
    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "TERM=xterm",
]
hooks_dir = [
    "/usr/share/containers/oci/hooks.d",
]
infra_command = "/pause"
infra_image = ""
[engine.runtimes]
[engine.volume_plugins]
[machine]

[hswong3i]

@djarbz wow again good catch!!

Ok so this rootless problem should be solve from 2 way:

• Some tidy up here need to keep as commented: /usr/share/containers/containers.conf
  • https://github.com/alvistack/containers-common/commit/466d4b6f239cc0c12df5472aff16ddaea8b4717b#diff-f38944fdd6507cc37badbde5c66785bdebb77bd6fa2ea0674cd8117f89e95676
• Again some default value from here need to keep as commented: /etc/containers/containers.conf.j2
  • https://github.com/alvistack/ansible-role-containers_common/blob/master/templates/etc/containers/containers.conf.j2

@djarbz could you give me some more help? As https://github.com/containers/podman/issues/13402#issuecomment-1060018322 suggested, comment those individual variable pair of parameters from both files one by one, until your rootless mode could start correctly?

e.g. If network_config_dir looks troublesome, comment it from both files, and rerun your roootless mode, check the result, give me the feedback here and I will follow up from both packages and roles ;-)

[djarbz]

@hswong3i I'm not exactly clear on what you are asking me to do.

/etc/containers/containers.conf only has the configuration that I wrote to it, but it is very possible that I overwrote that file with my Ansible role. Just to be sure, I uninstalled and reinstalled podman and it did not recreate containers.conf.

As for the /usr/share/containers/containers.conf, when I comment out the network_config_dir line, then it works for me, or at the very least I no longer get the cni.lock error.

[hswong3i]

@djarbz some related packages are now re-packaged:

Corresponding Ansible Roles also updated, e.g. ansible-role-containers_common, ansible-role-cri_o, etc.

Your suggested network_config_dir already commented by default, with other else tidy up / upgrade / sync with upstream / etc. Please try again ;-)

[djarbz]

Hey, it worked this time on a fresh install! I think we can close out this ticket!

[hswong3i]

@djarbz you are my real hero ;-)

With your bug report ~30 packages and Ansible Roles are newly added or retouch for solving an issue that I seldom use, but already keep in my roadmap for 6+ months just due to my laziness ;-)

Again thank you very much ;-)

[djarbz]

@hswong3i no worries, I'm glad to help! I thank you for hosting this repo so I can keep my Podman up to date since Debian is so far behind.

You should look into rootless now, it works for me other than needed to reboot after enabling lingering on a user. I have a ticket open over at Podman for that.