common: error adding seccomp filter rule for syscall bdflush: permission denied

FWIW, if anyone ends up here for podman issues regarding this error on RHEL, RHEL 8.4 has a borked version of runc whilst updating to RHEL 8.5’s bundled runc fixes the error. 🚀

@dtchanpura did you have crun installed when you ran that test? I have found that (at least on arch linux) containers-common will default to crun if it’s installed, which is not affected by this issue. So an effective workaround for arch users with the default configuration is to just install crun. Others may need to set runtime=“crun” in contianers.conf.

Arch bug report here: https://bugs.archlinux.org/task/71397

Issue resolved after rolling back to containers-common 0.39.0

sudo pacman -U https://archive.archlinux.org/packages/c/containers-common/containers-common-0.39.0-4-any.pkg.tar.zst

@ryester27 I’m also having this issue on Arch Linux with containers-common 0.40.0, podman 3.2.1, and runc 1.0.0rc95. However, replacing /etc/containers/seccomp.json with the file from containers-common 0.39.0 is a workaround and lets containers starts properly, albeit at the expense of less strict seccomp filters, I guess.

Contrary to @dtchanpura, this is still broken for me.

> pacman -Q containers-common podman runc                                                                                                                                        
containers-common 0.40.1-1
podman 3.2.2-1
runc 1.0.0-1
> podman run -it --rm ubuntu:20.04
Error: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

It works if I downgrade to containers-common-0.39.0-4.

> pacman -Q containers-common podman runc        
containers-common 0.39.0-4
podman 3.2.2-1
runc 1.0.0-1
> podman run -it --rm ubuntu:20.04
root@c06728581153:/#

If I remove bdflush from seccomp.json, it just fails with a different error:

Error: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall io_pgetevents: permission denied: OCI permission denied

I’m on Debian Bullseye facing this issue after building Podman from source. There’s no clear fix given that Debian doesn’t use Pacman here.

What’s the solution? Bullseye is currently the latest version that gets security updates, and current stable podman seems to entirely ignore .containerignore (a separate issue I’m ultimately trying to evaluate). Hence building from source.

EDIT: Turns out crun wasn’t installed. Installing it fixed the issue. Some better error messages are really needed here.

Thanks for pointing out the crun workaround! (rootless) containers start working again as soon as i install the crun package.

These are my versions:

$ pacman -Q containers-common podman runc crun
containers-common 0.40.1-1
podman 3.2.2-1
runc 1.0.0-1
crun 0.20.1-1

@darrellenns Sorry about that, I did not see other dependencies, but yes, I do have crun installed as a dependency for buildah and it coincided with the runc update so couldn’t distinguish if that was because of runc or crun.

~ ❯ pacman -Q crun runc podman containers-common
crun 0.20.1-1
runc 1.0.0-1
podman 3.2.2-1
containers-common 0.40.1-1

Edit: I could reproduce the issue removing buildah and crun.

Can we close this issue?

@cevich I’ve seen the error “container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied” with versions of runc older than 1.0-rc95.

Could we first double check the runc version?

Having the same problem with containers-common-0.40.0-1, and my Arch Linux setup has runc 1.0.0rc95-1