Podman: Root/rootless Error: OCI runtime error: container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Steps to reproduce the issue:
- From the documentation I follow the next steps to install/update podman
sudo dnf -y module disable container-tools
sudo dnf -y install 'dnf-command(copr)'
sudo dnf -y copr enable rhcontainerbot/container-selinux
sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8_Stream/devel:kubic:libcontainers:stable.repo
sudo dnf -y install podman
podman run -it --rm --name alpine2 alpine
Error: OCI runtime error: container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"sudo podman run -it --rm --name alpine2 alpine
Error: OCI runtime error: container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
Describe the results you received:
The container does not run because I think is a cgroups problem or seccomp problem with the compiled version.
Here it is the debug output
$ podman --log-level debug run -it --rm --name alpine2 alpine
INFO[0000] podman filtering at log level debug
DEBU[0000] Called run.PersistentPreRunE(podman --log-level debug run -it --rm --name alpine2 alpine)
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf"
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.29.0 Annotations:[] CgroupNS:host Cgroups:enabled DefaultCapabilities:[CHOWN DAC_OVERRIDE FOWNER FSETID KILL NET_BIND_SERVICE SETFCAP SETGID SETPCAP SETUID SYS_CHROOT] DefaultSysctls:[net.ipv4.ping_group_range=0 0] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableKeyring:true EnableLabeling:false Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{ImageBuildFormat:oci CgroupCheck:false CgroupManager:cgroupfs ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:journald HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand: InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:runc OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/etc/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/cloud/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/cloud/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/cloud/.config/cni/net.d}}
DEBU[0000] Using conmon: "/usr/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/cloud/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/cloud/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /home/cloud/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/cloud/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false
DEBU[0000] Initializing event backend journald
DEBU[0000] using runtime "/usr/bin/runc"
WARN[0000] Error initializing configured OCI runtime crun: no valid executable found for OCI runtime crun: invalid argument
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument
INFO[0000] Setting parallel job count to 7
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/shortnames.conf"
DEBU[0000] parsed reference into "[overlay@/home/cloud/.local/share/containers/storage+/run/user/1000/containers:overlay.mount_program=/usr/bin/fuse-overlayfs]@d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] exporting opaque data as blob "sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] parsed reference into "[overlay@/home/cloud/.local/share/containers/storage+/run/user/1000/containers:overlay.mount_program=/usr/bin/fuse-overlayfs]@d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] exporting opaque data as blob "sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] using systemd mode: false
DEBU[0000] setting container name alpine2
DEBU[0000] No hostname set; container's hostname will default to runtime default
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json"
DEBU[0000] Allocated lock 0 for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] parsed reference into "[overlay@/home/cloud/.local/share/containers/storage+/run/user/1000/containers:overlay.mount_program=/usr/bin/fuse-overlayfs]@d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] exporting opaque data as blob "sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] created container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb"
DEBU[0000] container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb" has work directory "/home/cloud/.local/share/containers/storage/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata"
DEBU[0000] container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb" has run directory "/run/user/1000/containers/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata"
DEBU[0000] Handling terminal attach
DEBU[0000] overlay: mount_data=lowerdir=/home/cloud/.local/share/containers/storage/overlay/l/LXWXXVXZTMKX3KSZEJHXNWEW2K,upperdir=/home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/diff,workdir=/home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/work
DEBU[0000] Made network namespace at /run/user/1000/netns/cni-a27b19fb-8174-0100-6475-a176b147f45d for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] mounted container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb" at "/home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/merged"
DEBU[0000] slirp4netns command: /usr/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-a27b19fb-8174-0100-6475-a176b147f45d tap0
DEBU[0000] Created root filesystem for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb at /home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/merged
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode secret
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d
DEBU[0000] Created OCI spec for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb at /home/cloud/.local/share/containers/storage/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata/config.json
DEBU[0000] /usr/bin/conmon messages will be logged to syslog
DEBU[0000] running conmon: /usr/bin/conmon args="[--api-version 1 -c bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb -u bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb -r /usr/bin/runc -b /home/cloud/.local/share/containers/storage/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata -p /run/user/1000/containers/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata/pidfile -n alpine2 --exit-dir /run/user/1000/libpod/tmp/exits --socket-dir-path /run/user/1000/libpod/tmp/socket -l k8s-file:/home/cloud/.local/share/containers/storage/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata/ctr.log --log-level debug --syslog -t --conmon-pidfile /run/user/1000/containers/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/cloud/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --runtime --exit-command-arg runc --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --storage-opt --exit-command-arg overlay.mount_program=/usr/bin/fuse-overlayfs --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg --syslog --exit-command-arg true --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb]"
WARN[0000] Failed to add conmon to cgroupfs sandbox cgroup: error creating cgroup for blkio: mkdir /sys/fs/cgroup/blkio/libpod_parent: permission denied
DEBU[0000] Received: -1
DEBU[0000] Cleaning up container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Tearing down network namespace at /run/user/1000/netns/cni-a27b19fb-8174-0100-6475-a176b147f45d for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Error unmounting /home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/merged with fusermount3 - exec: "fusermount3": executable file not found in $PATH
DEBU[0000] unmounted container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb"
DEBU[0000] Removing container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Removing all exec sessions for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Cleaning up container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Network is already cleaned up, skipping...
DEBU[0000] Container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb storage is already unmounted, skipping...
DEBU[0000] Container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb storage is already unmounted, skipping...
DEBU[0000] ExitCode msg: "time=\"2020-11-25t00:51:14-04:00\" level=error msg=\"container_linux.go:349: starting container process caused \\\"error adding seccomp rule for syscall socket: requested action matches default action of filter\\\"\"\ncontainer_linux.go:349: starting container process caused \"error adding seccomp rule for syscall socket: requested action matches default action of filter\": oci runtime error"
Error: OCI runtime error: time="2020-11-25T00:51:14-04:00" level=error msg="container_linux.go:349: starting container process caused \"error adding seccomp rule for syscall socket: requested action matches default action of filter\""
container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
Describe the results you expected:
It will run withaout any problem as it does in fedora.
Additional information you deem important (e.g. issue happens only occasionally):
Output of podman version:
podman version
Version: 2.2.0-rc2
API Version: 2.1.0
Go Version: go1.13.15
Built: Tue Nov 24 09:13:57 2020
OS/Arch: linux/amd64
Output of podman info --debug:
host:
arch: amd64
buildahVersion: 1.18.0
cgroupManager: cgroupfs
cgroupVersion: v1
conmon:
package: conmon-2.0.21-1.el8.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.21, commit: 8c7a48ca7c926e747381f0c9c4cd294554a6f831-dirty'
cpus: 2
distribution:
distribution: '"centos"'
version: "8"
eventLogger: journald
hostname: test
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 4.18.0-193.28.1.el8_2.x86_64
linkmode: dynamic
memFree: 1227288576
memTotal: 3961745408
ociRuntime:
name: runc
package: runc-1.0.0-65.rc10.module_el8.2.0+305+5e198a41.x86_64
path: /usr/bin/runc
version: 'runc version spec: 1.0.1-dev'
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
rootless: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-0.4.2-3.git21fdece.module_el8.2.0+305+5e198a41.x86_64
version: |-
slirp4netns version 0.4.2+dev
commit: 21fdece2737dc24ffa3f01a341b8a6854f8b13b4
swapFree: 4265603072
swapTotal: 4265603072
uptime: 33m 27.38s
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- registry.centos.org
- docker.io
store:
configFile: /home/cloud/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mount_program:
Executable: /usr/bin/fuse-overlayfs
Package: fuse-overlayfs-0.7.2-5.module_el8.2.0+305+5e198a41.x86_64
Version: |-
fuse-overlayfs: version 0.7.2
FUSE library version 3.2.1
using FUSE kernel interface version 7.26
graphRoot: /home/cloud/.local/share/containers/storage
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 2
runRoot: /run/user/1000/containers
volumePath: /home/cloud/.local/share/containers/storage/volumes
version:
APIVersion: 2.1.0
Built: 1606223637
BuiltTime: Tue Nov 24 09:13:57 2020
GitCommit: ""
GoVersion: go1.13.15
OsArch: linux/amd64
Version: 2.2.0-rc2
Package info (e.g. output of rpm -q podman or apt list podman):
podman-2.2.0-0.6.rc2.el8.x86_64
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
VMware VM
ricardo-rod
All 15 comments
sudo dnf update was missing.
````
sudo dnf update
Last metadata expiration check: 0:57:28 ago on Wed 25 Nov 2020 12:12:36 AM AST.
Dependencies resolved.
Package Arch Version Repository Size
Upgrading:
buildah x86_64 1.18.0-2.el8 devel_kubic_libcontainers_stable 13 M
container-selinux noarch 2:2.145.0-1.el8 copr:copr.fedorainfracloud.org:rhcontainerbot:container-selinux 59 k
fuse-overlayfs x86_64 1.2.0-1.el8 devel_kubic_libcontainers_stable 69 k
libvarlink x86_64 19-3.el8 devel_kubic_libcontainers_stable 44 k
runc x86_64 2:1.0.0-145.rc91.git24a3cf8.el8
devel_kubic_libcontainers_stable 5.0 M
slirp4netns x86_64 1.1.6-1.el8 devel_kubic_libcontainers_stable 52 k
Installing dependencies:
fuse3 x86_64 3.2.1-12.el8 BaseOS 50 k
libslirp x86_64 4.3.1-2.el8 devel_kubic_libcontainers_stable 66 k
Transaction Summary
Install 2 Packages
Upgrade 6 Packages
Total download size: 19 M
Is this ok [y/N]: y
Downloading Packages:
(1/8): container-selinux-2.145.0-1.el8.noarch.rpm 147 kB/s | 59 kB 00:00
(2/8): fuse3-3.2.1-12.el8.x86_64.rpm 85 kB/s | 50 kB 00:00
(3/8): libslirp-4.3.1-2.el8.x86_64.rpm 42 kB/s | 66 kB 00:01
(4/8): fuse-overlayfs-1.2.0-1.el8.x86_64.rpm 50 kB/s | 69 kB 00:01
(5/8): libvarlink-19-3.el8.x86_64.rpm 85 kB/s | 44 kB 00:00
(6/8): slirp4netns-1.1.6-1.el8.x86_64.rpm 33 kB/s | 52 kB 00:01
(7/8): buildah-1.18.0-2.el8.x86_64.rpm 2.5 MB/s | 13 MB 00:05
(8/8): runc-1.0.0-145.rc91.git24a3cf8.el8.x86_64.rpm 881 kB/s | 5.0 MB 00:05
Total 2.2 MB/s | 19 MB 00:08
After that is working like a charm.
sudo podman run -it --rm --name alpine2 alpine
/ #
```
ricardo-rod
on 25 Nov 2020
It is pending to update the documentation in https://podman.io/getting-started/installation to add this command.
sudo dnf update -y
ricardo-rod
on 25 Nov 2020
Could you open a PR to add that?
rhatdan
on 25 Nov 2020
we are encountering the same error on CentOS 7 with the kubic stable repo:
STAGING [root@cc-runner0 ~]$ journalctl -ln1000 -u code-challenges.service --no-pager | grep -m1 seccomp
Nov 24 17:37:06 cc-runner0.stage.iad01.treehouse podman[1688]: Error: container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter": OCI runtime error
STAGING [root@cc-runner0 ~]$ yum list podman podman-plugins containers-common containernetworking-plugins container-selinux runc libslirp slirp4netns
...
Installed Packages
container-selinux.noarch 2:2.119.2-1.911c772.el7_8 @extras
containernetworking-plugins.x86_64 0.8.7-1.el7 @kubic-libcontainers-stable
containers-common.x86_64 2:1.2.0-9.el7 @kubic-libcontainers-stable
libslirp.x86_64 4.3.1-2.el7 @kubic-libcontainers-stable
podman.x86_64 2.1.1-10.el7 @kubic-libcontainers-stable
podman-plugins.x86_64 2.1.1-10.el7 @kubic-libcontainers-stable
runc.x86_64 2:1.0.0-103.dev.el7 @kubic-libcontainers-stable
slirp4netns.x86_64 1.1.6-1.el7 @kubic-libcontainers-stable
is the repo missing a needed package update for a podman dependency?
nathwill
on 25 Nov 2020
actually i believe this is covered in https://github.com/containers/podman/issues/8430; apparently the runc in the kubic repo is incompatible
nathwill
on 25 Nov 2020
Yes please update to latest runc or move to crun.
rhatdan
on 25 Nov 2020
Ok , I will do the PR as you ccan see the dnf update fix the problem and it is compatible with centos 8, I will be testing for ccentos 7 to check if the sudo dnf update fix the problem too after that I will do the PR for both operatvive system.
ricardo-rod
on 26 Nov 2020
Centos 7 is not compatible with podman at all, it will take more time to troubleshoot this, but the kernel is too old for me now.
I will be doing the Pull Request for centos8.
ricardo-rod
on 26 Nov 2020
I an experiencing the same issue. I changed the runtime to crun docker-compose.yml . Still the error remains the same.
I have crun installed.
crun version 0.16
commit: eb0145e5ad4d8207e84a327248af76663d4e50dd
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
rahbal
on 13 Dec 2020
Centos 7 is not compatible with podman at all, it will take more time to troubleshoot this, but the kernel is too old for me now.
I will be doing the Pull Request for centos8.
Is this true? Should we not use podman at all at CentOS 7?
This is relevant, especially given that the EOL for CentOS 8 has been changed to 2021 and CentOS 7 will be the LTS till 2024.
Not sure how I can help (besides testing) but I have been struggling with this same error in CentOS 7 and the podman from Kubic's repo. dnf/yum update doesn't solve the problem.
Maybe there's a missing dependency, or a kernel update is needed?
marcelovital
on 13 Dec 2020
The error here is definitely not coming from crun. If you have crun
installed but are still seeing this error then Podman is not using it. The
line number and file reference there are specifically to a location in the
runc repository. This issue is a clear indication that an older, buggy runc
is in use.
I cannot speak to the state of the runc package on Cent 7, but if you are
seeing this, swapping to crun by installing it and making it default in
containers.conf is a guaranteed fix. Alternatively you can edit the system
default Seccomp policy to remove the offending rule. This is not a kernel
issue and I still fully expect Podman to work on CentOS 7.
On Sun, Dec 13, 2020 at 05:04 Marcelo Vital Brazil notifications@github.com
wrote:
Centos 7 is not compatible with podman at all, it will take more time to
troubleshoot this, but the kernel is too old for me now.
I will be doing the Pull Request for centos8.Is this true? Should we not use podman at all at CentOS 7?
This is relevant, especially given that the EOL for CentOS 8 has been
changed to 2021 and CentOS 7 will be the LTS till 2024.Not sure how I can help (besides testing) but I have been struggling with
this same error in CentOS 7 and the podman from Kubic's repo. dnf/yum
update doesn't solve the problem.Maybe there's a missing dependency, or a kernel update is needed?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/containers/podman/issues/8472#issuecomment-743982301,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AB3AOCCNS2UYB6OJRSF56JDSUSGTZANCNFSM4UB3PPGQ
.
mheon
on 13 Dec 2020
Thanks @mheon . I could not install crun properly (errors in build/install when following instructions from https://github.com/containers/crun but will keep trying.
In the meantime, I tested the same commands with docker and it works like a charm. But I'm not ready to give up on podman yet :)
marcelovital
on 13 Dec 2020
I fixed the issue by changing the runtime to crun from the containers.conf file. Then podman ran correctly.
Container engines will read containers.conf files in up to three locations in the following order:
/usr/share/containers/containers.conf/etc/containers/containers.conf$HOME/.config/containers/containers.conf(Rootless containers ONLY)
I copied the file in location one to location three. Then edited the runtime line to "crun".
rahbal
on 14 Dec 2020
启动时直接使用--security-opt seccomp=unconfined 参数,就不会报错了
HistoryGift
on 17 Dec 2020
Yeah, the argument --security-opt=seccomp=unconfined helps to bypass the issue when running a container (podman version 2.2.1 on CentOS 7)
falstaff1288
on 17 Dec 2020
Related issues
hong-duc
·
3Comments
undecaf
·
3Comments
bbros-dev
·
5Comments
cruwe
·
3Comments
daltschu22
·
4Comments
Most helpful comment
启动时直接使用--security-opt seccomp=unconfined 参数,就不会报错了