-
Bug
-
Resolution: Obsolete
-
Normal
-
None
-
rhel-8.5.0
-
None
-
Moderate
-
rhel-sst-container-tools
-
None
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
x86_64
-
None
Description of problem:
Nested rootless podman fails with "using mount program /usr/bin/fuse-overlayfs: fuse: device not found, try 'modprobe fuse' first" when container is confined with SeLinux
Version-Release number of selected component (if applicable):
How reproducible: Always
Steps to Reproduce:
Login As non-root user
$ podman run --rm quay.io/podman/stable podman run hello-world
Actual results:
$ podman run --rm rhel8/podman podman run hello-world
podman run --rm rhel8/podman podman run hello-world
time="2022-05-02T15:18:56Z" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
time="2022-05-02T15:18:56Z" level=warning msg="using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids"
Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54
Copying blob sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54
Copying config sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412
Writing manifest to image destination
Storing signatures
time="2022-05-02T15:19:01Z" level=error msg="error unmounting /var/lib/containers/storage/overlay/dd9d081b21c5edcfb0ae2c74c58423c9dc1399af8edbfd4091f539ac5679b312/merged: invalid argument"
Error: error mounting storage for container 650c3dc54a1902795d7ebdf659a542b514301aba7f5fdd7ec238fb8ed77cf22c: error creating overlay mount to /var/lib/containers/storage/overlay/dd9d081b21c5edcfb0ae2c74c58423c9dc1399af8edbfd4091f539ac5679b312/merged, mount_data="nodev,fsync=0,lowerdir=/var/lib/containers/storage/overlay/l/XPZKQN32TL5NHX3KCINV5IZT5G,upperdir=/var/lib/containers/storage/overlay/dd9d081b21c5edcfb0ae2c74c58423c9dc1399af8edbfd4091f539ac5679b312/diff,workdir=/var/lib/containers/storage/overlay/dd9d081b21c5edcfb0ae2c74c58423c9dc1399af8edbfd4091f539ac5679b312/work": using mount program /usr/bin/fuse-overlayfs: fuse: device not found, try 'modprobe fuse' first
fuse-overlayfs: cannot mount: No such file or directory
: exit status 1
Expected results: hello world displayed
Additional info:
A) If adding `--security-opt label=disable` the above command succeeds
B) If passing /dev/fuse as suggested in https://bugzilla.redhat.com/show_bug.cgi?id=1867892 we get another error:
$ podman run --rm --device /dev/fuse rhel8/podman podman run hello-world
time="2022-05-02T15:07:35Z" level=error msg="Failed to created default CNI network: error creating CNI configuration directory: mkdir /home/podman/.config/cni: permission denied"
time="2022-05-02T15:07:35Z" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
Resolved "hello-world" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54
Copying blob sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54
Copying config sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412
Writing manifest to image destination
Storing signatures
Error: set propagation for `proc`: Permission denied: OCI permission denied
$ podman version
Version: 3.4.2
$ head -2 /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.5 (Ootpa)"
- external trackers
