dougsland
commented
1 year ago /cc @rhatdan @lsm5
Closed dougsland closed 1 year ago
dougsland
commented
1 year ago /cc @rhatdan @lsm5
dougsland
commented
1 year ago [root@control ~]# dnf update -y
Last metadata expiration check: 0:05:58 ago on Mon May 8 14:39:47 2023.
Dependencies resolved.
Nothing to do.
Complete!
[root@control ~]# mkdir /usr/lib/qm/rootfs -p
[root@control ~]# systemctl start qm
Job for qm.service failed because the control process exited with error code.
See "systemctl status qm.service" and "journalctl -xeu qm.service" for details.May 08 14:46:12 control systemd[1]: Failed to start qm.service.
May 08 14:46:12 control systemd[1]: qm.service: Failed with result 'exit-code'.
May 08 14:46:12 control systemd[1]: qm.service: Main process exited, code=exited, status=126/n/a
May 08 14:46:12 control qm[20963]: Error: mkdir /sys/fs/cgroup/memory/user.slice: permission denied
May 08 14:46:12 control podman[20963]: 2023-05-08 14:46:12.235180224 +0000 UTC m=+0.105786698 container remove 0b3d55db021e03c74e2ac2d9b18bcd9e5fdcf9f05e092291c6261da43a23204d (image=, name=qm, PODMAN_SYSTEMD_UNIT=qm.service)
May 08 14:46:12 control podman[20963]: 2023-05-08 14:46:12.202046221 +0000 UTC m=+0.072652703 container create 0b3d55db021e03c74e2ac2d9b18bcd9e5fdcf9f05e092291c6261da43a23204d (image=, name=qm, PODMAN_SYSTEMD_UNIT=qm.service)
rhatdan
commented
1 year ago This is probably a bad version of podman.
You might need podman 4.5.0 or newer?
dougsland
commented
1 year ago For reference, I was running on RHEL8 (cgroupsv1) a RHEL9. This seems to be the problem.
# rpm -qa | grep -i podman
podman-4.5.1~dev-1.20230505082231331845.v4.5.14.gc926b12c5.el9.x86_64I will test on RHEL9 (cgroupsv2) as base instead of RHEL8.
dougsland
commented
1 year ago Let me update here with the latest:
Host machine:
$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="38 (Workstation Edition)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora Linux 38 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f38/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=38
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=38
SUPPORT_END=2024-05-14
VARIANT="Workstation Edition"
VARIANT_ID=workstationcgroup:
$ cat /proc/filesystems | grep cgroup
nodev cgroup
nodev cgroup2
$ podman info | grep cgroup
cgroupControllers:
cgroupManager: systemd
cgroupVersion: v2
$ cat /proc/self/cgroup
0::/user.slice/user-1000.slice/session-5.scope
$ cat /proc/self/limits
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 8388608 unlimited bytes
Max core file size unlimited unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 1546460 1546460 processes
Max open files 1024 524288 files
Max locked memory 8388608 8388608 bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals 1546460 1546460 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
$ podman unshare ulimit -a
real-time non-blocking time (microseconds, -R) unlimited
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 1546460
max locked memory (kbytes, -l) 8192
max memory size (kbytes, -m) unlimited
open files (-n) 524288
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 1048576
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
$ cat /proc/sys/kernel/pid_max
4194304
[douglas@dell730 e2e]$two nodes running with podman:
$ podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3c077806c43b localhost/control:latest /usr/lib/systemd/... 2 minutes ago Up 2 minutes control
53b089c3d865 localhost/node1:latest /usr/lib/systemd/... 2 minutes ago Up 2 minutes node1Setting qm on node1
# podman exec -it node1 bash
Executed the following:
dnf -y copr enable rhcontainerbot/qm centos-stream-9
dnf -y copr enable mperina/hirte-snapshot centos-stream-9
dnf update -y
dnf install qm -y
cd /usr/share/qm
./setup
<SNIP>
......
Complete!
Last metadata expiration check: 0:01:47 ago on Tue May 9 03:25:53 2023.
Dependencies resolved.
Nothing to do.
Complete!
Job for qm.service failed because the control process exited with error code.
See "systemctl status qm.service" and "journalctl -xeu qm.service" for details.systemctl status qm:
qm.service
Loaded: loaded (/usr/share/containers/systemd/qm.container; generated)
Active: failed (Result: exit-code) since Tue 2023-05-09 03:27:44 UTC; 35s ago
Process: 11433 ExecStart=/usr/bin/podman run --name=qm --cidfile=/run/qm.cid --replace --rm --cgroups=split --network=host --sdnotify=conmon -d --security-opt label=type:qm_t --security-opt label=filetype:qm_file_t --security-opt label=level:s0 --device=/dev/kvm --cap-add=all --read-only --read-only-tmpfs=false -v qmEtc:/etc:copy -v qmVar:/var:copy --security-opt label=nested --security-opt unmask=all --rootfs /usr/lib/qm/rootfs /sbin/init (code=exited, status=126)
Process: 11468 ExecStopPost=/usr/bin/podman rm -f -i --cidfile=/run/qm.cid (code=exited, status=0/SUCCESS)
Main PID: 11433 (code=exited, status=126)
CPU: 240ms
May 09 03:27:44 node1 systemd[1]: qm.service: Scheduled restart job, restart counter is at 5.
May 09 03:27:44 node1 systemd[1]: Stopped qm.service.
May 09 03:27:44 node1 systemd[1]: qm.service: Start request repeated too quickly.
May 09 03:27:44 node1 systemd[1]: qm.service: Failed with result 'exit-code'.
May 09 03:27:44 node1 systemd[1]: Failed to start qm.service.journal -r:
May 09 03:27:43 node1 systemd[1]: Failed to start qm.service.
May 09 03:27:43 node1 systemd[1]: qm.service: Failed with result 'exit-code'.
May 09 03:27:43 node1 systemd[1]: qm.service: Killing process 11466 (podman) with signal SIGKILL.
May 09 03:27:43 node1 systemd[1]: qm.service: Killing process 11454 (podman) with signal SIGKILL.
May 09 03:27:43 node1 systemd[1]: qm.service: Killing process 11452 (conmon) with signal SIGKILL.
May 09 03:27:43 node1 systemd[1]: qm.service: Main process exited, code=exited, status=126/n/a
May 09 03:27:43 node1 qm[11433]: Error: crun: setrlimit `RLIMIT_NOFILE`: Operation not permitted: OCI permission denied
May 09 03:27:43 node1 podman[11433]: 2023-05-09 03:27:43.65832943 +0000 UTC m=+0.118318374 container remove eb20e607bd0c104c3b7c4c898a93821832c6c7bdf8871b70588ce5eabd9de625 (image=, name=qm, PODMAN_SYSTEMD_UNIT=qm.service)
May 09 03:27:43 node1 podman[11433]: 2023-05-09 03:27:43.586557058 +0000 UTC m=+0.046545996 container create eb20e607bd0c104c3b7c4c898a93821832c6c7bdf8871b70588ce5eabd9de625 (image=, name=qm, PODMAN_SYSTEMD_UNIT=qm.service)Podman version in the container:
#node1> podman -v
podman version 4.5.1-devOn the host:
$ podman inspect node1
<SNIP>
....
"OomKillDisable": false,
"PidsLimit": 2048,
"Ulimits": [
{
"Name": "RLIMIT_NOFILE",
"Soft": 524288,
"Hard": 524288
},
{
"Name": "RLIMIT_NPROC",
"Soft": 1048576,
"Hard": 1048576
}
],
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"CgroupConf": nullpodman data from HOST :
[douglas@dell730 e2e]$ podman inspect node1
[
{
"Id": "e51f883f48b390c87e4a5431d5a71b0745885c07438ba899f3f6a80cd9c8b9fa",
"Created": "2023-05-08T23:22:53.771613337-04:00",
"Path": "/usr/lib/systemd/systemd",
"Args": [
"/usr/lib/systemd/systemd"
],
"State": {
"OciVersion": "1.1.0-rc.1",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 55909,
"ConmonPid": 55905,
"ExitCode": 0,
"Error": "",
"StartedAt": "2023-05-08T23:22:53.909887667-04:00",
"FinishedAt": "0001-01-01T00:00:00Z",
"Health": {
"Status": "",
"FailingStreak": 0,
"Log": null
},
"CgroupPath": "/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-e51f883f48b390c87e4a5431d5a71b0745885c07438ba899f3f6a80cd9c8b9fa.scope",
"CheckpointedAt": "0001-01-01T00:00:00Z",
"RestoredAt": "0001-01-01T00:00:00Z"
},
"Image": "c4cafcc687be864ea19f7836c88f9d7000f4310615ee76aff9a57332837dad00",
"ImageDigest": "sha256:5c8ef667ab1bf34dd58ecf4cc956550cac1d2be324dc1e033b293401e0320abf",
"ImageName": "localhost/node1:latest",
"Rootfs": "",
"Pod": "",
"ResolvConfPath": "/run/user/1000/containers/overlay-containers/e51f883f48b390c87e4a5431d5a71b0745885c07438ba899f3f6a80cd9c8b9fa/userdata/resolv.conf",
"HostnamePath": "/run/user/1000/containers/overlay-containers/e51f883f48b390c87e4a5431d5a71b0745885c07438ba899f3f6a80cd9c8b9fa/userdata/hostname",
"HostsPath": "/run/user/1000/containers/overlay-containers/e51f883f48b390c87e4a5431d5a71b0745885c07438ba899f3f6a80cd9c8b9fa/userdata/hosts",
"StaticDir": "/home/douglas/.local/share/containers/storage/overlay-containers/e51f883f48b390c87e4a5431d5a71b0745885c07438ba899f3f6a80cd9c8b9fa/userdata",
"OCIConfigPath": "/home/douglas/.local/share/containers/storage/overlay-containers/e51f883f48b390c87e4a5431d5a71b0745885c07438ba899f3f6a80cd9c8b9fa/userdata/config.json",
"OCIRuntime": "crun",
"ConmonPidFile": "/run/user/1000/containers/overlay-containers/e51f883f48b390c87e4a5431d5a71b0745885c07438ba899f3f6a80cd9c8b9fa/userdata/conmon.pid",
"PidFile": "/run/user/1000/containers/overlay-containers/e51f883f48b390c87e4a5431d5a71b0745885c07438ba899f3f6a80cd9c8b9fa/userdata/pidfile",
"Name": "node1",
"RestartCount": 0,
"Driver": "overlay",
"MountLabel": "system_u:object_r:container_file_t:s0:c1022,c1023",
"ProcessLabel": "",
"AppArmorProfile": "",
"EffectiveCaps": [
"CAP_AUDIT_CONTROL",
"CAP_AUDIT_READ",
"CAP_AUDIT_WRITE",
"CAP_BLOCK_SUSPEND",
"CAP_BPF",
"CAP_CHECKPOINT_RESTORE",
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_DAC_READ_SEARCH",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_IPC_LOCK",
"CAP_IPC_OWNER",
"CAP_KILL",
"CAP_LEASE",
"CAP_LINUX_IMMUTABLE",
"CAP_MAC_ADMIN",
"CAP_MAC_OVERRIDE",
"CAP_MKNOD",
"CAP_NET_ADMIN",
"CAP_NET_BIND_SERVICE",
"CAP_NET_BROADCAST",
"CAP_NET_RAW",
"CAP_PERFMON",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYSLOG",
"CAP_SYS_ADMIN",
"CAP_SYS_BOOT",
"CAP_SYS_CHROOT",
"CAP_SYS_MODULE",
"CAP_SYS_NICE",
"CAP_SYS_PACCT",
"CAP_SYS_PTRACE",
"CAP_SYS_RAWIO",
"CAP_SYS_RESOURCE",
"CAP_SYS_TIME",
"CAP_SYS_TTY_CONFIG",
"CAP_WAKE_ALARM"
],
"BoundingCaps": [
"CAP_AUDIT_CONTROL",
"CAP_AUDIT_READ",
"CAP_AUDIT_WRITE",
"CAP_BLOCK_SUSPEND",
"CAP_BPF",
"CAP_CHECKPOINT_RESTORE",
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_DAC_READ_SEARCH",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_IPC_LOCK",
"CAP_IPC_OWNER",
"CAP_KILL",
"CAP_LEASE",
"CAP_LINUX_IMMUTABLE",
"CAP_MAC_ADMIN",
"CAP_MAC_OVERRIDE",
"CAP_MKNOD",
"CAP_NET_ADMIN",
"CAP_NET_BIND_SERVICE",
"CAP_NET_BROADCAST",
"CAP_NET_RAW",
"CAP_PERFMON",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYSLOG",
"CAP_SYS_ADMIN",
"CAP_SYS_BOOT",
"CAP_SYS_CHROOT",
"CAP_SYS_MODULE",
"CAP_SYS_NICE",
"CAP_SYS_PACCT",
"CAP_SYS_PTRACE",
"CAP_SYS_RAWIO",
"CAP_SYS_RESOURCE",
"CAP_SYS_TIME",
"CAP_SYS_TTY_CONFIG",
"CAP_WAKE_ALARM"
],
"ExecIDs": [],
"GraphDriver": {
"Name": "overlay",
"Data": {
"LowerDir": "/home/douglas/.local/share/containers/storage/overlay/87745df3c59262e16ab258cc74d089c43120dc1081cd56d25ed80dc9492a84e3/diff:/home/douglas/.local/share/containers/storage/overlay/1b9c172ae28ca6b0690baf564a78857af1ecd37666d5683b22fa8aa2a2aa3b17/diff:/home/douglas/.local/share/containers/storage/overlay/47782107d49526409313e4d742474f74876c44ce6a0ed929ca1e92011dc96dee/diff:/home/douglas/.local/share/containers/storage/overlay/baa226215f199bece042c201bb179b5972b7a4a3b8abad7d10ae3287b778be00/diff:/home/douglas/.local/share/containers/storage/overlay/ffe27fbe4762f83045ed45c983aea3f41e6e51baf625f34f432d2877257fd19f/diff:/home/douglas/.local/share/containers/storage/overlay/eb47fd00f4e9ee06b751f01f6375747278ab6676b06f17aa072ee8132606ed44/diff:/home/douglas/.local/share/containers/storage/overlay/fd217b15a6ed89ef3010bcc0f4fe423f06a3108af69a360ffcc8c995e03ead0e/diff:/home/douglas/.local/share/containers/storage/overlay/3e51ba4e7228799eb199e3f5172597be525ca5d859b9149e597e02011fb30762/diff:/home/douglas/.local/share/containers/storage/overlay/17723bea6c18fd61cd91de9cf6430d8066717fa6dc64ff03f147f14391781321/diff",
"MergedDir": "/home/douglas/.local/share/containers/storage/overlay/37d7b602a847cba8171ce7d119e1d5ef5621930b2f2419f8c52fec6586f2b0ff/merged",
"UpperDir": "/home/douglas/.local/share/containers/storage/overlay/37d7b602a847cba8171ce7d119e1d5ef5621930b2f2419f8c52fec6586f2b0ff/diff",
"WorkDir": "/home/douglas/.local/share/containers/storage/overlay/37d7b602a847cba8171ce7d119e1d5ef5621930b2f2419f8c52fec6586f2b0ff/work"
}
},
"Mounts": [],
"Dependencies": [],
"NetworkSettings": {
"EndpointID": "",
"Gateway": "",
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "",
"Bridge": "",
"SandboxID": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {},
"SandboxKey": "/run/user/1000/netns/netns-d39ffb20-6a35-186f-65f1-6ff4c2253d24",
"Networks": {
"netcow": {
"EndpointID": "",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "fe:e0:20:ce:fa:1a",
"NetworkID": "netcow",
"DriverOpts": null,
"IPAMConfig": null,
"Links": null,
"Aliases": [
"e51f883f48b3"
]
}
}
},
"Namespace": "",
"IsInfra": false,
"IsService": false,
"Config": {
"Hostname": "node1",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"container=podman",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm",
"HOSTNAME=node1",
"HOME=/root",
"container_uuid=e51f883f48b390c87e4a5431d5a71b07"
],
"Cmd": [
"/usr/lib/systemd/systemd"
],
"Image": "localhost/node1:latest",
"Volumes": null,
"WorkingDir": "/root",
"Entrypoint": "",
"OnBuild": null,
"Labels": {
"io.buildah.version": "1.30.0",
"org.label-schema.build-date": "20230501",
"org.label-schema.license": "GPLv2",
"org.label-schema.name": "CentOS Stream 9 Base Image",
"org.label-schema.schema-version": "1.0",
"org.label-schema.vendor": "CentOS"
},
"Annotations": {
"io.container.manager": "libpod",
"io.podman.annotations.privileged": "TRUE",
"org.opencontainers.image.base.digest": "sha256:40b2accec6e7ce1aa799610bac4a68cc378ad3dc0090ed57e984a2b119d92bd8",
"org.opencontainers.image.base.name": "quay.io/centos/centos:stream9",
"org.opencontainers.image.stopSignal": "37"
},
"StopSignal": 37,
"HealthcheckOnFailureAction": "none",
"CreateCommand": [
"podman",
"run",
"-d",
"--privileged",
"--net",
"netcow",
"--ip",
"172.18.0.3",
"--name",
"node1",
"--hostname",
"node1",
"c4cafcc687be"
],
"SystemdMode": true,
"Umask": "0022",
"Timeout": 0,
"StopTimeout": 10,
"Passwd": true,
"sdNotifyMode": "container"
},
"HostConfig": {
"Binds": [],
"CgroupManager": "systemd",
"CgroupMode": "private",
"ContainerIDFile": "",
"LogConfig": {
"Type": "journald",
"Config": null,
"Path": "",
"Tag": "",
"Size": "0B"
},
"NetworkMode": "bridge",
"PortBindings": {},
"RestartPolicy": {
"Name": "",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": [],
"CapDrop": [],
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": [],
"GroupAdd": [],
"IpcMode": "shareable",
"Cgroup": "",
"Cgroups": "default",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "private",
"Privileged": true,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": [],
"Tmpfs": {},
"UTSMode": "private",
"UsernsMode": "",
"ShmSize": 65536000,
"Runtime": "oci",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "user.slice",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": 0,
"OomKillDisable": false,
"PidsLimit": 2048,
"Ulimits": [
{
"Name": "RLIMIT_NOFILE",
"Soft": 524288,
"Hard": 524288
},
{
"Name": "RLIMIT_NPROC",
"Soft": 1048576,
"Hard": 1048576
}
],
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"CgroupConf": null
}
}
]
$ grep pids_limit /usr/share/containers/containers.conf
#pids_limit = 2048
$ ls -l /usr/share/containers/containers.conf /etc/containers/containers.conf
ls: cannot access '/etc/containers/containers.conf': No such file or directory
-rw-r--r--. 1 root root 25352 Apr 11 20:00 /usr/share/containers/containers.confTried a few changes in the host -> /etc/security/limits.conf, ~/.config/containers/containers.conf and recreating the container and still not flying. I might be missing a step.
similar(?) thread: https://github.com/containers/podman/issues/6389
@rhatdan any ideas?
rhatdan
commented
1 year ago @dougsland Could you get the execstart line from quadlet --dryrun and see what is failing?
/usr/libexec/podman/quadlet | grep ExecStart
Then remove the --cidfile part
Should look like:
/usr/local/bin/podman run --name=qm --replace --rm --cgroups=split --network=host --sdnotify=conmon -d --security-opt label=type:qm_t --security-opt label=filetype:qm_file_t --security-opt label=level:s0 --device=/dev/kvm --cap-add=all --read-only --read-only-tmpfs=false -v qmEtc:/etc:copy -v qmVar:/var:copy --security-opt label=nested --security-opt unmask=all --rootfs /usr/lib/qm/rootfs /sbin/init@rhatdan
Catching the cmd:
# /usr/libexec/podman/quadlet --dryrun| grep ExecStart
quadlet-generator[11523]: Loading source unit file /usr/share/containers/systemd/qm.container
ExecStart=/usr/bin/podman run --name=qm --cidfile=%t/%N.cid --replace --rm --cgroups=split --network=host --sdnotify=conmon -d --security-opt label=type:qm_t --security-opt label=filetype:qm_file_t --security-opt label=level:s0 --device=/dev/kvm --cap-add=all --read-only --read-only-tmpfs=false -v qmEtc:/etc:copy -v qmVar:/var:copy --security-opt label=nested --security-opt unmask=all --rootfs /usr/lib/qm/rootfs /sbin/initExecuting (removing --cidfile):
#node-qm> /usr/bin/podman run --name=qm --replace --rm --cgroups=split --network=host --sdnotify=conmon -d --security-opt label=type:qm_t --security-opt label=filetype:qm_file_t --security-opt label=level:s0 --device=/dev/kvm --cap-add=all --read-only --read-only-tmpfs=false -v qmEtc:/etc:copy -v qmVar:/var:copy --security-opt label=nested --security-opt unmask=all --rootfs /usr/lib/qm/rootfs /sbin/init
Error: crun: setrlimit `RLIMIT_NOFILE`: Operation not permitted: OCI permission deniedPodman version in the container:
# podman -v
podman version 4.5.1-dev@rhatdan more data. I found this in fresh tests:
node1>
Created symlink /etc/systemd/system/default.target.wants/podman-restart.service → /usr/lib/systemd/system/podman-restart.service.
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
warning: %post(podman-101:4.5.1~dev-1.20230505082231331845.v4.5.14.gc926b12c5.el9.x86_64) scriptlet failed, exit status 1also
node1> # ps aux | grep -i systemd
root 1 0.1 0.0 23040 14240 ? Ss 16:47 0:00 /usr/lib/systemd/systemd
root 25 0.0 0.0 34376 12128 ? Ss 16:47 0:00 /usr/lib/systemd/systemd-journald
root 42 0.0 0.0 17916 8480 ? Ss 16:47 0:00 /usr/lib/systemd/systemd-logind
root 910 0.0 0.0 3744 2080 pts/0 S+ 16:51 0:00 grep --color=auto -I systemdok, that turns out that I need to run the script as root as it's trying to set limits.
Closing this one now. Thanks @rhatdan
Logs