Closed adelton closed 7 months ago
Try: podman run --rm -ti --security-opt unmask=/proc --user podman quay.io/podman/stable
We need to fix these Warnings about the /run/secrets directory.
Also can you do podman run --rm -ti -v /dev/null:/etc/containers/mounts.conf --security-opt unmask=/proc --user podman quay.io/podman/stable To see if this cleans it up.
Do you mean to try these for the first podman, or that podman-in-podman invocation?
First podman, Kernel does not allow a processes to modify a modified /proc.
The behaviour, including the nondeterminism, seems to still be there:
$ podman run --rm -ti -v /dev/null:/etc/containers/mounts.conf --security-opt unmask=/proc --user podman quay.io/podman/stable
[podman@5c678908c060 /]$ mount | grep proc
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /proc/acpi type tmpfs (ro,relatime,context="system_u:object_r:container_file_t:s0:c392,c957",size=0k,uid=1000,gid=1000,inode64)
devtmpfs on /proc/kcore type devtmpfs (ro,nosuid,seclabel,size=4096k,nr_inodes=4062785,mode=755,inode64)
devtmpfs on /proc/keys type devtmpfs (ro,nosuid,seclabel,size=4096k,nr_inodes=4062785,mode=755,inode64)
devtmpfs on /proc/latency_stats type devtmpfs (ro,nosuid,seclabel,size=4096k,nr_inodes=4062785,mode=755,inode64)
devtmpfs on /proc/timer_list type devtmpfs (ro,nosuid,seclabel,size=4096k,nr_inodes=4062785,mode=755,inode64)
tmpfs on /proc/scsi type tmpfs (ro,relatime,context="system_u:object_r:container_file_t:s0:c392,c957",size=0k,uid=1000,gid=1000,inode64)
proc on /proc/asound type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/fs type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/irq type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
[podman@5c678908c060 /]$ mount | grep ' on /proc '
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
[podman@5c678908c060 /]$ podman run --rm -ti --user podman quay.io/podman/stable
Trying to pull quay.io/podman/stable:latest...
Getting image source signatures
Copying blob 77c9c34091b4 done |
Copying blob 1e910112bc7f done |
Copying blob 10327c9af971 done |
Copying blob 9fa763129095 done |
Copying blob 4e8a4684a6a4 done |
Copying blob 718a00fe3212 done |
Copying blob fd72a3378718 done |
Copying blob 3f30707a1d42 done |
Copying blob a681dc7022f8 done |
Copying config 314b296d26 done |
Writing manifest to image destination
Error: container create failed (no logs from conmon): conmon bytes "": readObjectStart: expect { or n, but found , error found in #0 byte of ...||..., bigger context ...||...
[podman@5c678908c060 /]$ podman run --rm -ti --user podman quay.io/podman/stable
Error: crun: set propagation for `proc`: Permission denied: OCI permission denied
In a possibly related issue, I'm seeing similar warning messages running quay.io/buildah/stable on my CRI-O kubernetes cluster:
WARN[0000] Path "/run/secrets/etc-pki-entitlement" from "/etc/containers/mounts.conf" doesn't exist, skipping
WARN[0000] Path "/run/secrets/rhsm" from "/etc/containers/mounts.conf" doesn't exist, skipping
Yes we need to figure out how to fix this on systems that do not have subscption-manager installed on them, Probably drop the Warning to info.
This issue however was about that
Error: container create failed (no logs from conmon): conmon bytes "": readObjectStart: expect { or n, but found , error found in #0 byte of ...||..., bigger context ...||...
vs.
Error: crun: set propagation for `proc`: Permission denied: OCI permission denied
not about those mountpoint WARN
s.
"no logs from conmon" is #10927, one of our longest-standing and most annoying flakes. I've never seen it on run
, only exec
. And I tried your reproducer on my f39 laptop, no luck.
Issue Description
I try to debug some rootless setups in OpenShift per https://www.redhat.com/sysadmin/podman-inside-kubernetes. I know it says
and I try to find out what exactly would fail, to possibly amend the SELinux / OpenShift policies. So it is expected that my attempt to run a rootless podman container in a rootless container fails.
However, the error message I get when running a rootless container in a rootless container seem not stable which is worrying.
Steps to reproduce the issue
Steps to reproduce the issue
$ podman run --rm -ti --user podman quay.io/podman/stable
[podman@8c2d1ecef2c7 /]$ podman run --rm -ti --user podman quay.io/podman/stable
[podman@8c2d1ecef2c7 /]$ podman run --rm -ti --user podman quay.io/podman/stable
Describe the results you received
Describe the results you expected
I expect the error message to be the same every time.
podman info output
On the host:
In the container: