podman: Can no longer install systemd into an ubuntu bionic container without --privileged
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Some of our builds are broken after podman 3.0 update. We examined it and found that a simple “apt install init” failed. Further debugging nailed it down to a simple test case and it seems to be related to changed default permissions. Adding CAP_AUDIT_WRITE fixes the issue.
Steps to reproduce the issue:
Negative rootful test:
- podman run -it --rm ubuntu:bionic /usr/bin/chfn -f “test” irc
- non 0 exit, complains about “PAM: System error”
same command works when running rootless
Postitive rootful test A:
- podman run --privileged -it --rm ubuntu:bionic /usr/bin/chfn -f “test” irc
- exit code 0, no output
Positive rootful test B:
- podman run --cap-add=all -it --rm ubuntu:bionic /usr/bin/chfn -f “test” irc
- exit code 0, no output
Positive rootful test C:
- podman run --cap-add=CAP_AUDIT_WRITE -it --rm ubuntu:bionic /usr/bin/chfn -f “test” irc
- exit code 0, no output
Additional information you deem important (e.g. issue happens only occasionally):
Output of podman version:
Version: 3.0.0
API Version: 3.0.0
Go Version: go1.15.2
Built: Thu Jan 1 00:00:00 1970
OS/Arch: linux/amd64
Output of podman info --debug:
(paste your output here)
Package info (e.g. output of rpm -q podman or apt list podman):
host:
arch: amd64
buildahVersion: 1.19.2
cgroupManager: systemd
cgroupVersion: v1
conmon:
package: 'conmon: /usr/libexec/podman/conmon'
path: /usr/libexec/podman/conmon
version: 'conmon version 2.0.26, commit: '
cpus: 2
distribution:
distribution: ubuntu
version: "18.04"
eventLogger: journald
hostname: xxxxxxx
idMappings:
gidmap: null
uidmap: null
kernel: 4.15.0-135-generic
linkmode: dynamic
memFree: 71000064
memTotal: 2090299392
ociRuntime:
name: crun
package: 'crun: /usr/bin/crun'
path: /usr/bin/crun
version: |-
crun version 0.17.6-58ef-dirty
commit: fd582c529489c0738e7039cbc036781d1d039014
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
remoteSocket:
path: /run/podman/podman.sock
security:
apparmorEnabled: true
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
selinuxEnabled: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 890216448
swapTotal: 1045143552
uptime: 3h 6m 56.83s (Approximately 0.12 days)
registries:
search:
- docker.io
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /persistent/containers
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 1
runRoot: /var/run/containers/storage
volumePath: /persistent/containers/volumes
version:
APIVersion: 3.0.0
Built: 0
BuiltTime: Thu Jan 1 00:00:00 1970
GitCommit: ""
GoVersion: go1.15.2
OsArch: linux/amd64
Version: 3.0.0```
**Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?**
Yes
**Additional environment details (AWS, VirtualBox, physical, etc.):**
It's a vSphere vm but we reproduced also on a local workstation.About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 23 (22 by maintainers)
Scratch that (Monday morning), I do see it should be installed to /usr/share/containers. So I guess something went wrong in packaging. Let me get back on this.