Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 6.18.0
Affects Version/s: None
Component/s: Insights - Advisor, Insights - Vulnerability
Labels:

Epic Link:
SAT-32569
Target Version:

6.18.0
Blocked:
False
Fixed in Build:
foreman-fapolicyd-1.1.0
GitHub Issue:
https://github.com/theforeman/foreman-fapolicyd/pull/13
AssignedTeam:
sat-proton

Release Note Type:
None
Release Note Text:
None
Release Note Status:
None

PX Impact Score:
SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Test Coverage:
None

Market:

Description of problem:

fapolicyd blocks container processes from running on Satellite w/ IoP enabled.

This is reported in RHEL:

fapolicyd default rule file 30-patterns.rules prevents starting containers
https://issues.redhat.com/browse/RHEL-37912

How reproducible:

100%

Is this issue a regression from an earlier version:

Steps to Reproduce:

1.) Enabled fapolicyd on RHEL 9 system

2.) Install Satellite 6.18 + IoP

3.) See iop service startup failures.

Business Impact / Additional info:

2025-09-22 22:30:07 [ERROR ] [configure] Sep 22 22:30:06 satellite.example.com podman[34702]: 2025-09-22 22:30:06.37095434 -0400 EDT m=+9.713549470 container create [...] (image=registry.stage.redhat.io/amq-streams/kafka-39-rhel9:2.9.1-1, name=iop-core-kafka, [...])2025-09-22 22:30:07 [ERROR ] [configure] Sep 22 22:30:06 satellite.example.com podman[34702]: 2025-09-22 22:30:06.345684594 -0400 EDT m=+9.688279714 image pull [...] registry.stage.redhat.io/amq-streams/kafka-39-rhel9:2.9.1-12025-09-22 22:30:07 [ERROR ] [configure] Sep 22 22:30:06 satellite.example.com conmon[34900]: conmon a108bd43b2ef03e90b75 <nwarn>: runtime stderr: /usr/bin/crun: error while loading shared libraries: libsystemd.so.0: cannot open shared object file: Operation not permitted2025-09-22 22:30:07 [ERROR ] [configure] Sep 22 22:30:06 ip-10-0-168-16.rhos-01.prod.psi.rdu2.redhat.com conmon[34900]: conmon a108bd43b2ef03e90b75 <error>: Failed to create container: exit status 1272025-09-22 22:30:07 [ERROR ] [configure] Sep 22 22:30:06 ip-10-0-168-16.rhos-01.prod.psi.rdu2.redhat.com iop-core-kafka[34902]: /usr/bin/crun: error while loading shared libraries: libsystemd.so.0: cannot open shared object file: Operation not permitted2025-09-22 22:30:07 [ERROR ] [configure] Sep 22 22:30:06 ip-10-0-168-16.rhos-01.prod.psi.rdu2.redhat.com iop-core-kafka[34702]: time="2025-09-22T22:30:06-04:00" level=error msg="Removing container [...] from runtime after creation failed"

is caused by

RHEL-37912 fapolicyd default rule file 30-patterns.rules prevents starting containers

Planning

Assignee:: Eric Helms

Reporter:: Tasos Papaioannou

QA Contact:: Tasos Papaioannou

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/09/23 3:34 PM

Updated:: 2025/10/15 3:00 PM

Resolved:: 2025/10/10 1:31 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates