Closed jskov-jyskebank-dk closed 3 years ago
@giuseppe or @rhatdan thoughts?
Did you see any AVC messages ausearch -m avc -ts recent
Uh, @rhatdan, I run it in a container on an OpenShift platform. I do not have shell access on the host.
I do not assume you meant executed in the container? FWIW that fails (maybe I need to start some process?)
# ausearch -m avc -ts recent
Error opening /var/log/audit/audit.log (No such file or directory)
The AVC's should be in the journal if the audit.log does not exists.
journalctl -b | grep -i avc
There is no audit.log
file and no journal:
sh-5.0$ journalctl -b | grep -i avc
No journal files were found.
Could you try that with sudo?
Same.
But as expected, surely? I run in a F32 container on OpenShift which just runs a python web server (as in https://github.com/containers/buildah/blob/master/docs/tutorials/05-openshift-rootless-bud.md). This happens in the Pod's terminal.
sh-5.0# journalctl -b | grep -i avc
No journal files were found.
sh-5.0# ls -lrt /var/log
total 492
drwxr-xr-x. 2 root root 235 May 15 06:48 anaconda
-rw-r--r--. 1 root root 1040 May 31 05:05 README
-rw-rw-r--. 1 root utmp 0 Jul 15 12:01 wtmp
-rw-------. 1 root root 0 Jul 15 12:01 tallylog
drwx------. 2 root root 6 Jul 15 12:01 private
-rw-rw----. 1 root utmp 0 Jul 15 12:01 btmp
-rw-r--r--. 1 root root 29885 Sep 22 05:52 dnf.librepo.log
-rw-r--r--. 1 root root 6473 Sep 22 05:53 dnf.rpm.log
-rw-r--r--. 1 root root 561 Sep 22 05:53 hawkey.log
-rw-r--r--. 1 root root 62030 Sep 22 05:53 dnf.log
-rw-rw-r--. 1 root utmp 292292 Sep 22 05:54 lastlog
This seems a little weird. The machine you running this on does not support journal?
sh-5.0# journalctl -b | grep -i avc
No journal files were found.
It is a F32 image running on OpenShift. So it runs nothing but a dumb web server (to keep the Pod alive) and my terminal.
The host - the OpenShift platform - is not something I have access to.
I can try to reach out to those who run the platform...
@jskovjyskebankdk Did you ever get any further with this? I don't believe this is a buildah issue per-se but something to do with the environment that it is running in.
Sorry.
I thought so, but must have forgotten, because I can find no mails about it.
I have just reproduced with Podman:
Version: 2.2.1
API Version: 2.1.0
Go Version: go1.15.5
Built: Tue Dec 8 15:37:50 2020
OS/Arch: linux/amd64
on OCP 4.6.13
I will send that mail to the admins.
Data from the admins. Hope this tells you something @rhatdan
# ausearch -m avc -ts recent
----
time->Thu Feb 11 07:17:33 2021
type=AVC msg=audit(1613024253.291:12420): avc: denied { remount } for pid=2064839 comm="5" scontext=system_u:system_r:container_t:s0:c2,c28 tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem permissive=0
# cat /etc/redhat-release
Red Hat Enterprise Linux CoreOS release 4.6
# uname -a
Linux XXX 4.18.0-193.40.1.el8_2.x86_64 #1 SMP Wed Jan 6 10:54:57 EST 2021 x86_64 x86_64 x86_64 GNU/Linux
Well that should be allowed by SELinux, Fixed in upstream.
https://github.com/containers/container-selinux/releases/tag/v2.158.0
Should end up being in RHEL8.4 release.
Awesome! Cheers!
Description
Podman fails build when mounting volumes from folders on NFS with different options (writable and read-only).
This is when running in a rooless container on OpenShift (4.4.20).
Steps to reproduce the issue:
/opt/persistence
::Z,rw
and:Z,ro
):Describe the results you received:
/opt/persistence
in my OpenShift container is:Describe the results you expected:
It works fine when using folders on /tmp:
/tmp
is mounted like this:Output of
rpm -q buildah
orapt list buildah
:Output of
buildah version
:Output of
podman version
if reporting apodman build
issue:*Output of `cat /etc/release`:**
Output of
uname -a
:Output of
cat /etc/containers/storage.conf
: