search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.48k stars 2.39k forks source link

can't set memory limit for user container #7667

Closed ikke-t closed 4 years ago

ikke-t commented 4 years ago

/kind bug

Description

I as a user (non-root) fail to start a container with memory limit.

Steps to reproduce the issue:

  1. I have Fedora IoT up to date system, currently F32

  2. command:

    podman run --name pilivi --rm -ti --cgroup-manager=systemd --memory="128M" sebp/lighttpd 
Error: sd-bus call: Permission denied: OCI runtime permission denied error

Describe the results you received:

Error: sd-bus call: Permission denied: OCI runtime permission denied error

Describe the results you expected:

$ podman run --name pilivi --rm -ti  sebp/lighttpd  
2020-09-17 09:40:07: (server.c.1521) server started (lighttpd/1.4.54)

Additional information you deem important (e.g. issue happens only occasionally):

always

Output of podman version:

Version:      2.0.6
API Version:  1
Go Version:   go1.14.6
Built:        Tue Sep  1 22:26:51 2020
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.15.1
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.19-1.fc32.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.19, commit: 5dce9767526ed27f177a8fa3f281889ad509fea7'
  cpus: 2
  distribution:
    distribution: fedora
    version: "32"
  eventLogger: file
  hostname: fediot.ikenet
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1018
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1018
      size: 1
    - container_id: 1
      host_id: 165536
      size: 65536
  kernel: 5.8.7-200.fc32.x86_64
  linkmode: dynamic
  memFree: 6479953920
  memTotal: 8340324352
  ociRuntime:
    name: crun
    package: crun-0.14.1-4.fc32.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.14.1
      commit: 598ea5e192ca12d4f6378217d3ab1415efeddefa
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /tmp/run-1018/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.4-1.fc32.x86_64
    version: |-
      slirp4netns version 1.1.4
      commit: b66ffa8e262507e37fca689822d23430f3357fe8
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 2
  swapFree: 5049737216
  swapTotal: 5049737216
  uptime: 61h 40m 1.88s (Approximately 2.54 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /var/home/pilivifi/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.1.2-1.fc32.x86_64
      Version: |-
        fusermount3 version: 3.9.1
        fuse-overlayfs: version 1.1.0
        FUSE library version 3.9.1
        using FUSE kernel interface version 7.31
  graphRoot: /var/home/pilivifi/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /tmp/run-1018/containers
  volumePath: /var/home/pilivifi/.local/share/containers/storage/volumes
version:
  APIVersion: 1
  Built: 1598988411
  BuiltTime: Tue Sep  1 22:26:51 2020
  GitCommit: ""
  GoVersion: go1.14.6
  OsArch: linux/amd64
  Version: 2.0.6

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.0.6-1.fc32.x86_64
$ cat /etc/fedora-release 
Fedora release 32 (Thirty Two)
Linux fediot.ikenet 5.8.7-200.fc32.x86_64 #1 SMP Mon Sep 7 15:26:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ rpm-ostree status
State: idle
Deployments:
* ostree://fedora-iot:fedora/stable/x86_64/iot
                   Version: 32.20200912.0 (2020-09-12T07:47:52Z)
                BaseCommit: ad0a590edf4a4180122d44d44d6f3294f68bfd93f6496a3865d8d3874d6ac5c3
              GPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0
           LayeredPackages: cockpit cockpit-dashboard cockpit-ostree cockpit-podman cockpit-storaged mosh
                            nfs-utils

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

No. @mheon asked me to file a bug in IRC

Additional environment details (AWS, VirtualBox, physical, etc.):

VM on FreeNAS

ikke-t commented 4 years ago

forgot to mention, no user specific configs in .config/containers/. Also user is in /etc/subuid and /etc/subgid files.

giuseppe commented 4 years ago

how have you logged in? Through ssh or su?

What do you see if you run the command systemd-run --scope --user echo test ?

rhatdan commented 4 years ago

Did you check SELinux?

ikke-t commented 4 years ago

ah, @giuseppe that's it. As this is a fresh user created by ansible for the container, it doesn't have password. While the systemd could not get it started, I switched to user via sudo su - user. That reminds me @rhatdan explaining while back how the uid does not get carried the proper way over sudo.

Now it works. Thanks, I'll close the issue.