Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: rhel-8.3.0
Component/s: systemd
Labels:

Regression:
None
Severity:
Critical

AssignedTeam:
rhel-systemd
Sub-System Group:

ssg_core_services

Story Points:
5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Known Issue
Release Note Text:

Hide
Cause (the user action or circumstances that trigger the bug):
Consequence (what the user experience is when the bug occurs):
Workaround (if available):
Result (mandatory if the workaround does not solve the problem completely):

Show
Cause (the user action or circumstances that trigger the bug): Consequence (what the user experience is when the bug occurs): Workaround (if available): Result (mandatory if the workaround does not solve the problem completely):
Release Note Status:
Proposed

Experience:
Architecture:

x86_64
Bugzilla Bug:
RHBZ: 1897579

PX Impact Score:
PX Technical Impact:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
57,005

Description of problem:
running podman in rootless mode (as user) with ubi8-init (systemd inside container) does not work.
"The issue seems to be in podman setting a default pids limit, but the pids controller is not enabled by systemd for unprivileged users"

Version-Release number of selected component (if applicable):
$ podman version
Version: 2.0.5
API Version: 1
Go Version: go1.14.7
Built: Wed Sep 23 18:18:02 2020
OS/Arch: linux/amd64

$ lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: RedHatEnterprise
Description: Red Hat Enterprise Linux release 8.3 (Ootpa)
Release: 8.3
Codename: Ootpa

How reproducible:
1) enable cgroup2: add cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1 to kernel parameter + reboot
2) set subuid / subgid for the user to be running podman rootless
3) sysctl increase namespaces: /proc/sys/user/max_user_namespaces
4) run podman as user in question: podman run --name=ubi-init-test1 --cgroup-manager=systemd -it --rm --systemd=true ubi8-init

Steps to Reproduce:
1. enable cgroup2 + set subuid/subguid + set namespaces
2. reboot
3. podman as user in question: podman run --name=ubi-init-test1 --cgroup-manager=systemd -it --rm --systemd=true ubi8-init

Actual results:
Error: writing file `/sys/fs/cgroup/user.slice/user-992.slice/user@992.service/cgroup.subtree_control`: No such file or directory: OCI runtime command not found error

ls -l /sys/fs/cgroup/user.slice/user-992.slice/user@992.service/cgroup.subtree_control
~~rw-r~~r-. 1 gitlab-runner gitlab-runner 0 Nov 13 14:57 /sys/fs/cgroup/user.slice/user-992.slice/user@992.service/cgroup.subtree_control

Expected results:
working container / running container

Additional info:
we also added the following, but it seems to have no effect/not being honored:

$ cat /etc/systemd/system/user@.service.d/delegate.conf
[Service]
Delegate=memory pids

-> delegation seems to not work

it can be made to work if the active session scope is chowned (by root) to the user id in question
example:
/usr/bin/chown -R 992 /sys/fs/cgroup/user.slice/user-992.slice/session-225.scope

podman info
host:
arch: amd64
buildahVersion: 1.15.1
cgroupVersion: v2
conmon:
package: conmon-2.0.20-2.module+el8.3.0+8221+97165c3f.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.20, commit: 77ce9fd1e61ea89bd6cdc621b07446dd9e80e5b6'
cpus: 2
distribution:
distribution: '"rhel"'
version: "8.3"
eventLogger: file
hostname: vie02s807
idMappings:
gidmap:

container_id: 0
host_id: 987
size: 1
container_id: 1
host_id: 100000
size: 65536
uidmap:
container_id: 0
host_id: 992
size: 1
container_id: 1
host_id: 100000
size: 65536
kernel: 4.18.0-240.1.1.el8_3.x86_64
linkmode: dynamic
memFree: 182124544
memTotal: 4118835200
ociRuntime:
name: crun
package: crun-0.14.1-2.module+el8.3.0+8221+97165c3f.x86_64
path: /usr/bin/crun
version: |-
crun version 0.14.1
commit: 598ea5e192ca12d4f6378217d3ab1415efeddefa
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
remoteSocket:
path: /run/user/992/podman/podman.sock
rootless: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.1.4-2.module+el8.3.0+8221+97165c3f.x86_64
version: |-
slirp4netns version 1.1.4
commit: b66ffa8e262507e37fca689822d23430f3357fe8
libslirp: 4.3.1
SLIRP_CONFIG_VERSION_MAX: 3
swapFree: 1072676864
swapTotal: 1073737728
uptime: 46h 9m 29.12s (Approximately 1.92 days)
registries:
search:
registry.access.redhat.com
registry.redhat.io
docker.io
registry.gitlab.com
store:
configFile: /home/gitlab-runner/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mount_program:
Executable: /usr/bin/fuse-overlayfs
Package: fuse-overlayfs-1.1.2-3.module+el8.3.0+8221+97165c3f.x86_64
Version: |-
fuse-overlayfs: version 1.1.0
FUSE library version 3.2.1
using FUSE kernel interface version 7.26
graphRoot: /home/gitlab-runner/.local/share/containers/storage
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 2
runRoot: /run/user/992/containers
volumePath: /home/gitlab-runner/.local/share/containers/storage/volumes
version:
APIVersion: 1
Built: 1600877882
BuiltTime: Wed Sep 23 18:18:02 2020
GitCommit: ""
GoVersion: go1.14.7
OsArch: linux/amd64
Version: 2.0.5