search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.47k stars 2.39k forks source link

"OCI permission denied" running busybox #23356

Closed cowlingj closed 1 month ago

cowlingj commented 2 months ago

Issue Description

Running any container in rootless mode results in an "OCI permission denied" error (running with sudo works)

Steps to reproduce the issue

Steps to reproduce the issue

  1. podman run busybox

Describe the results you received

Error: crun: make `/home/jonathan/.local/share/containers/storage/overlay/efb7154534ee93a2f2cbe90342b436f3d80ec0fa8d117af67c3aed5b9ac291f3/merged` private: Permission denied: OCI permission denied

Describe the results you expected

The container to run

podman info output

host:
  arch: amd64
  buildahVersion: 1.36.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.12-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: e8896631295ccb0bfdda4284f1751be19b483264'
  cpuUtilization:
    idlePercent: 98.81
    systemPercent: 0.31
    userPercent: 0.88
  cpus: 24
  databaseBackend: sqlite
  distribution:
    distribution: manjaro
    version: unknown
  eventLogger: journald
  freeLocks: 2042
  hostname: Highwind
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.6.40-1-MANJARO
  linkmode: dynamic
  logDriver: journald
  memFree: 25840742400
  memTotal: 33412100096
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: /usr/lib/podman/aardvark-dns is owned by aardvark-dns 1.11.0-1
      path: /usr/lib/podman/aardvark-dns
      version: aardvark-dns 1.11.0
    package: /usr/lib/podman/netavark is owned by netavark 1.11.0-2
    path: /usr/lib/podman/netavark
    version: netavark 1.11.0
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.15-1
    path: /usr/bin/crun
    version: |-
      crun version 1.15
      commit: e6eacaf4034e84185fd8780ac9262bbf57082278
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: /usr/bin/pasta is owned by passt 2024_06_24.1ee2eca-1
    version: |
      pasta 2024_06_24.1ee2eca
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.3.1-1
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.5
  swapFree: 42948620288
  swapTotal: 42948620288
  uptime: 0h 52m 8.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/jonathan/.config/containers/storage.conf
  containerStore:
    number: 6
    paused: 0
    running: 0
    stopped: 6
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/jonathan/.local/share/containers/storage
  graphRootAllocated: 343596335104
  graphRootUsed: 319781093376
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 2
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/jonathan/.local/share/containers/storage/volumes
version:
  APIVersion: 5.1.2
  Built: 1720733172
  BuiltTime: Thu Jul 11 22:26:12 2024
  GitCommit: 94a24974ab345324db1a1489c924af4b89d2d0e9
  GoVersion: go1.22.5
  Os: linux
  OsArch: linux/amd64
  Version: 5.1.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

podman run --log-level=debug busybox

INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level=debug busybox) 
DEBU[0000] Using conmon: "/usr/bin/conmon"              
INFO[0000] Using sqlite as database backend             
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/jonathan/.local/share/containers/storage 
DEBU[0000] Using run root /run/user/1000/containers     
DEBU[0000] Using static dir /home/jonathan/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp      
DEBU[0000] Using volume path /home/jonathan/.local/share/containers/storage/volumes 
DEBU[0000] Using transient store: false                 
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Cached value indicated that metacopy is not being used 
DEBU[0000] Cached value indicated that native-diff is usable 
DEBU[0000] backingFs=btrfs, projectQuotaSupported=false, useNativeDiff=true, usingMetacopy=false 
DEBU[0000] Initializing event backend journald          
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument 
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument 
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument 
DEBU[0000] Configured OCI runtime crun-vm initialization failed: no valid executable found for OCI runtime crun-vm: invalid argument 
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument 
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument 
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument 
DEBU[0000] Using OCI runtime "/usr/bin/crun"            
INFO[0000] Setting parallel job count to 73             
DEBU[0000] Pulling image busybox (policy: missing)      
DEBU[0000] Looking up image "busybox" in local containers storage 
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] } 
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf" 
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/00-shortnames.conf" 
DEBU[0000] Trying "docker.io/library/busybox:latest" ... 
DEBU[0000] parsed reference into "[overlay@/home/jonathan/.local/share/containers/storage+/run/user/1000/containers]@65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac" 
DEBU[0000] Found image "busybox" as "docker.io/library/busybox:latest" in local containers storage 
DEBU[0000] Found image "busybox" as "docker.io/library/busybox:latest" in local containers storage ([overlay@/home/jonathan/.local/share/containers/storage+/run/user/1000/containers]@65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac) 
DEBU[0000] exporting opaque data as blob "sha256:65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac" 
DEBU[0000] Looking up image "docker.io/library/busybox:latest" in local containers storage 
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] } 
DEBU[0000] Trying "docker.io/library/busybox:latest" ... 
DEBU[0000] parsed reference into "[overlay@/home/jonathan/.local/share/containers/storage+/run/user/1000/containers]@65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac" 
DEBU[0000] Found image "docker.io/library/busybox:latest" as "docker.io/library/busybox:latest" in local containers storage 
DEBU[0000] Found image "docker.io/library/busybox:latest" as "docker.io/library/busybox:latest" in local containers storage ([overlay@/home/jonathan/.local/share/containers/storage+/run/user/1000/containers]@65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac) 
DEBU[0000] exporting opaque data as blob "sha256:65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac" 
DEBU[0000] Looking up image "busybox" in local containers storage 
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] } 
DEBU[0000] Trying "docker.io/library/busybox:latest" ... 
DEBU[0000] parsed reference into "[overlay@/home/jonathan/.local/share/containers/storage+/run/user/1000/containers]@65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac" 
DEBU[0000] Found image "busybox" as "docker.io/library/busybox:latest" in local containers storage 
DEBU[0000] Found image "busybox" as "docker.io/library/busybox:latest" in local containers storage ([overlay@/home/jonathan/.local/share/containers/storage+/run/user/1000/containers]@65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac) 
DEBU[0000] exporting opaque data as blob "sha256:65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac" 
DEBU[0000] Inspecting image 65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac 
DEBU[0000] exporting opaque data as blob "sha256:65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac" 
DEBU[0000] Inspecting image 65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac 
DEBU[0000] Inspecting image 65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac 
DEBU[0000] Inspecting image 65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac 
DEBU[0000] using systemd mode: false                    
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/etc/containers/seccomp.json" 
DEBU[0000] Allocated lock 7 for container c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 
DEBU[0000] exporting opaque data as blob "sha256:65ad0d468eb1c558bf7f4e64e790f586e9eda649ee9f130cd0e835b292bbc5ac" 
DEBU[0000] Cached value indicated that idmapped mounts for overlay are not supported 
DEBU[0000] Check for idmapped mounts support            
DEBU[0000] Created container "c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2" 
DEBU[0000] Container "c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2" has work directory "/home/jonathan/.local/share/containers/storage/overlay-containers/c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2/userdata" 
DEBU[0000] Container "c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2" has run directory "/run/user/1000/containers/overlay-containers/c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2/userdata" 
DEBU[0000] Not attaching to stdin                       
INFO[0000] Received shutdown.Stop(), terminating!        PID=13066
DEBU[0000] Enabling signal proxying                     
DEBU[0000] overlay: mount_data=lowerdir=/home/jonathan/.local/share/containers/storage/overlay/l/FLXW6UCERMEABQCKXSLJJG6QSH:/home/jonathan/.local/share/containers/storage/overlay/l/FLXW6UCERMEABQCKXSLJJG6QSH/../diff1:/home/jonathan/.local/share/containers/storage/overlay/l/ET4FCU67UPOAVBGIYPH2CUSIVI,upperdir=/home/jonathan/.local/share/containers/storage/overlay/3473652a89181f9ccf1c159b30c66b344cb68d697b5f469095ed5cc4ab34fbe5/diff,workdir=/home/jonathan/.local/share/containers/storage/overlay/3473652a89181f9ccf1c159b30c66b344cb68d697b5f469095ed5cc4ab34fbe5/work,userxattr 
DEBU[0000] Mounted container "c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2" at "/home/jonathan/.local/share/containers/storage/overlay/3473652a89181f9ccf1c159b30c66b344cb68d697b5f469095ed5cc4ab34fbe5/merged" 
DEBU[0000] Created root filesystem for container c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 at /home/jonathan/.local/share/containers/storage/overlay/3473652a89181f9ccf1c159b30c66b344cb68d697b5f469095ed5cc4ab34fbe5/merged 
DEBU[0000] Modifying container c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 /etc/passwd 
DEBU[0000] Modifying container c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 /etc/group 
DEBU[0000] Skipping unrecognized mount in /etc/containers/mounts.conf: "# Configuration file for default mounts in containers (see man 5" 
DEBU[0000] Skipping unrecognized mount in /etc/containers/mounts.conf: "# containers-mounts.conf for further information)" 
DEBU[0000] Skipping unrecognized mount in /etc/containers/mounts.conf: "" 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode subscription 
DEBU[0000] Setting Cgroups for container c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 to user.slice:libpod:c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Workdir "/" resolved to host path "/home/jonathan/.local/share/containers/storage/overlay/3473652a89181f9ccf1c159b30c66b344cb68d697b5f469095ed5cc4ab34fbe5/merged" 
DEBU[0000] Created OCI spec for container c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 at /home/jonathan/.local/share/containers/storage/overlay-containers/c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2/userdata/config.json 
DEBU[0000] /usr/bin/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /usr/bin/conmon               args="[--api-version 1 -c c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 -u c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 -r /usr/bin/crun -b /home/jonathan/.local/share/containers/storage/overlay-containers/c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2/userdata -p /run/user/1000/containers/overlay-containers/c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2/userdata/pidfile -n festive_maxwell --exit-dir /run/user/1000/libpod/tmp/exits --persist-dir /run/user/1000/libpod/tmp/persist/c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 --full-attach -s -l journald --log-level debug --syslog --conmon-pidfile /run/user/1000/containers/overlay-containers/c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/jonathan/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --network-config-dir --exit-command-arg  --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /home/jonathan/.local/share/containers/storage/volumes --exit-command-arg --db-backend --exit-command-arg sqlite --exit-command-arg --transient-store=false --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2]"
INFO[0000] Running conmon under slice user.slice and unitName libpod-conmon-c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2.scope 
[conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied

DEBU[0000] Received: -1                                 
DEBU[0000] Cleaning up container c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2 
DEBU[0000] Network is already cleaned up, skipping...   
DEBU[0001] Unmounted container "c07764ad82ca27d64e8c6709cf734ee492d91978ef06bd447761f3f7691459f2" 
DEBU[0001] ExitCode msg: "crun: make `/home/jonathan/.local/share/containers/storage/overlay/3473652a89181f9ccf1c159b30c66b344cb68d697b5f469095ed5cc4ab34fbe5/merged` private: permission denied: oci permission denied" 
Error: crun: make `/home/jonathan/.local/share/containers/storage/overlay/3473652a89181f9ccf1c159b30c66b344cb68d697b5f469095ed5cc4ab34fbe5/merged` private: Permission denied: OCI permission denied
DEBU[0001] Shutting down engines

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

giuseppe commented 2 months ago

can you share the output of ls -ld /home /home/jonathan? I think there is no a+x permission set in one of these two paths

giuseppe commented 2 months ago

hm.. that should not matter, at least from what I can observe locally. Do you mind to share the output of podman unshare cat /proc/self/mountinfo too?

cowlingj commented 2 months ago

Looks like that was it, I didn't have the right permissions on the /home/jonathan directory

giuseppe commented 2 months ago

does it work now? What have you changed?

cowlingj commented 2 months ago

I changed the permissions of my home directory to chmod a+x /home/jonathan then I could run busybox just fine, I set the permissions back (to 0700) and it still works.

Here's the output of podman unshare cat /proc/self/mountinfo

96 95 8:50 / / rw,noatime master:1 - ext4 /dev/sdd2 rw
97 96 0:5 / /dev rw,nosuid,relatime master:2 - devtmpfs dev rw,size=16295884k,nr_inodes=4073971,mode=755,inode64
98 97 0:27 / /dev/pts rw,nosuid,noexec,relatime master:3 - devpts devpts rw,gid=5,mode=620,ptmxmode=000
171 97 0:28 / /dev/shm rw,nosuid,nodev master:4 - tmpfs tmpfs rw,inode64
245 97 0:20 / /dev/mqueue rw,nosuid,nodev,noexec,relatime master:15 - mqueue mqueue rw
246 97 0:33 / /dev/hugepages rw,nosuid,nodev,relatime master:16 - hugetlbfs hugetlbfs rw,pagesize=2M
247 96 0:22 / /proc rw,nosuid,nodev,noexec,relatime master:5 - proc proc rw
248 247 0:32 / /proc/sys/fs/binfmt_misc rw,relatime master:13 - autofs systemd-1 rw,fd=38,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=6829
249 248 0:48 / /proc/sys/fs/binfmt_misc rw,nosuid,nodev,noexec,relatime master:62 - binfmt_misc binfmt_misc rw
250 96 0:23 / /sys rw,nosuid,nodev,noexec,relatime master:6 - sysfs sys rw
341 250 0:25 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime master:7 - efivarfs efivarfs rw
342 250 0:6 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime master:8 - securityfs securityfs rw
343 250 0:29 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime master:9 - cgroup2 cgroup2 rw,nsdelegate,memory_recursiveprot
344 250 0:30 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime master:10 - pstore pstore rw
472 250 0:31 / /sys/fs/bpf rw,nosuid,nodev,noexec,relatime master:11 - bpf bpf rw,mode=700
473 250 0:12 / /sys/kernel/tracing rw,nosuid,nodev,noexec,relatime master:14 - tracefs tracefs rw
474 250 0:7 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime master:17 - debugfs debugfs rw
475 250 0:36 / /sys/kernel/config rw,nosuid,nodev,noexec,relatime master:20 - configfs configfs rw
476 250 0:37 / /sys/fs/fuse/connections rw,nosuid,nodev,noexec,relatime master:21 - fusectl fusectl rw
487 96 0:24 / /run rw,nosuid,nodev,relatime master:12 - tmpfs run rw,mode=755,inode64
491 487 0:34 / /run/credentials/systemd-udev-load-credentials.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:19 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,inode64,noswap
495 487 0:38 / /run/credentials/systemd-tmpfiles-setup-dev-early.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:22 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,inode64,noswap
496 487 0:39 / /run/credentials/systemd-tmpfiles-setup-dev.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:23 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,inode64,noswap
497 487 0:41 / /run/credentials/systemd-journald.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:25 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,inode64,noswap
498 487 0:35 / /run/credentials/systemd-sysctl.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:18 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,inode64,noswap
499 487 0:42 / /run/credentials/systemd-vconsole-setup.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:50 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,inode64,noswap
500 487 0:47 / /run/credentials/systemd-tmpfiles-setup.service ro,nosuid,nodev,noexec,relatime,nosymfollow master:60 - tmpfs tmpfs rw,size=1024k,nr_inodes=1024,mode=700,inode64,noswap
501 487 0:59 / /run/user/1000 rw,nosuid,nodev,relatime master:314 - tmpfs tmpfs rw,size=3262900k,nr_inodes=815725,mode=700,uid=1000,gid=1000,inode64
502 501 0:60 / /run/user/1000/gvfs rw,nosuid,nodev,relatime master:381 - fuse.gvfsd-fuse gvfsd-fuse rw,user_id=1000,group_id=1000
503 501 0:75 / /run/user/1000/doc rw,nosuid,nodev,relatime master:723 - fuse.portal portal rw,user_id=1000,group_id=1000
504 96 0:40 / /srv/games rw,relatime master:24 - autofs systemd-1 rw,fd=51,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=13512
505 96 0:44 / /tmp rw,noatime master:52 - tmpfs tmpfs rw,inode64
506 96 8:49 / /boot/efi rw,relatime master:54 - vfat /dev/sdd1 rw,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
507 96 0:43 / /home/jonathan rw,relatime master:56 - btrfs /dev/sda1 rw,space_cache=v2,subvolid=5,subvol=/
508 507 0:46 / /home/jonathan/.Encrypted rw,relatime master:58 - autofs systemd-1 rw,fd=62,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=7725
509 508 254:1 / /home/jonathan/.Encrypted rw,relatime master:579 - ext4 /dev/mapper/Games-jonathan2 rw
511 507 0:43 /.local/share/containers/storage/overlay /home/jonathan/.local/share/containers/storage/overlay rw,relatime - btrfs /dev/sda1 rw,space_cache=v2,subvolid=5,subvol=/
giuseppe commented 2 months ago

I've opened a PR for crun that should help to handle better with such configuration: https://github.com/containers/crun/pull/1503

github-actions[bot] commented 1 month ago

A friendly reminder that this issue had no activity for 30 days.

rhatdan commented 1 month ago

Looks like @giuseppe got merged something that will make this easier for the user to discover. Closing.