podman: Cannot restore segment prot after reloc: Permission denied

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I uninstalled Docker in my Fedora 30 and installed podman and podman-docker. However I get the following error when building my project (which uses Docker):

[INFO] [io.quarkus.creator.phase.nativeimage.NativeImagePhase] docker run -v /home/ggastald/workspace/quarkus/integration-tests/jgit/target:/project:z --rm --user 1000:1000 quay.io/quarkus/ubi-quarkus-native-image:19.1.1 -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager -J-Dio.netty.leakDetection.level=DISABLED -J-Dvertx.disableDnsResolver=true -J-Dio.netty.noUnsafe=true --initialize-at-build-time= -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy$BySpaceAndTime -jar quarkus-integration-test-jgit-999-SNAPSHOT-runner.jar -J-Djava.util.concurrent.ForkJoinPool.common.parallelism=1 -H:FallbackThreshold=0 -H:+ReportExceptionStackTraces -H:+PrintAnalysisCallTree -H:-AddAllCharsets -H:EnableURLProtocols=http,https --enable-all-security-services -H:-SpawnIsolates -H:+JNI --no-server -H:-UseServiceLoaderFeature -H:+StackTrace
Error occurred during initialization of VM
Unable to load JVMCI shared library: /opt/graalvm/jre/lib/amd64/libjvmcicompiler.so: cannot restore segment prot after reloc: Permission denied

Steps to reproduce the issue:

git clone git@github.com:quarkusio/quarkus.git
cd quarkus && ./mvnw clean install -DskipTests
./mvnw install -Dnative -Dnative-image.docker-build=true -pl integration-tests/jgit

Describe the results you received:

[INFO] --- quarkus-maven-plugin:999-SNAPSHOT:native-image (native-image) @ quarkus-integration-test-jgit ---
[INFO] [io.quarkus.creator.phase.nativeimage.NativeImagePhase] Running Quarkus native-image plugin on OpenJDK 64-Bit Server VM
Error: Could not create directory /project/.native-image/machine-id-
[INFO] [io.quarkus.creator.phase.nativeimage.NativeImagePhase] docker run -v /home/ggastald/workspace/quarkus/integration-tests/jgit/target:/project:z --rm --user 1000:1000 quay.io/quarkus/ubi-quarkus-native-image:19.1.1 -J-Djava.util.logging.manager=org.jboss.logmanager.LogManager -J-Dio.netty.leakDetection.level=DISABLED -J-Dvertx.disableDnsResolver=true -J-Dio.netty.noUnsafe=true --initialize-at-build-time= -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy$BySpaceAndTime -jar quarkus-integration-test-jgit-999-SNAPSHOT-runner.jar -J-Djava.util.concurrent.ForkJoinPool.common.parallelism=1 -H:FallbackThreshold=0 -H:+ReportExceptionStackTraces -H:+PrintAnalysisCallTree -H:-AddAllCharsets -H:EnableURLProtocols=http,https --enable-all-security-services -H:-SpawnIsolates -H:+JNI --no-server -H:-UseServiceLoaderFeature -H:+StackTrace
Error occurred during initialization of VM
Unable to load JVMCI shared library: /opt/graalvm/jre/lib/amd64/libjvmcicompiler.so: cannot restore segment prot after reloc: Permission denied
Error: Image build request failed with exit status 1

Describe the results you expected: Build success (it works with Docker installed)

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:            1.5.1
RemoteAPI Version:  1
Go Version:         go1.12.7
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.12.7
  podman version: 1.5.1
host:
  BuildahVersion: 1.10.1
  Conmon:
    package: podman-1.5.1-3.fc30.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.0, commit: d728afa06cd2df86a27f32a4692c7099a56acc97-dirty'
  Distribution:
    distribution: fedora
    version: "30"
  MemFree: 17401413632
  MemTotal: 33072443392
  OCIRuntime:
    package: containerd.io-1.2.6-3.3.fc28.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc8
      commit: 425e105d5a03fabd737a126ad93d62a9eeede87f
      spec: 1.0.1-dev
  SwapFree: 16129261568
  SwapTotal: 16605245440
  arch: amd64
  cpus: 8
  eventlogger: journald
  hostname: ggastald-laptop
  kernel: 5.2.8-200.fc30.x86_64
  os: linux
  rootless: true
  uptime: 55h 12m 32.36s (Approximately 2.29 days)
registries:
  blocked: null
  insecure: null
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /home/ggastald/.config/containers/storage.conf
  ContainerStore:
    number: 0
  GraphDriverName: overlay
  GraphOptions:
  - overlay.mount_program=/usr/bin/fuse-overlayfs
  GraphRoot: /home/ggastald/.local/share/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 1
  RunRoot: /run/user/1000
  VolumePath: /home/ggastald/.local/share/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.5.1-3.fc30.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):

Running on Fedora 30

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 29 (14 by maintainers)

Commits related to this issue

Podman requires --userns=keep-id to avoid AccessDeniedExceptions while building the native image According to the podman documentation: --userns=keep-id: creates a user namespace where the current ro... — committed to quarkusio/quarkus by gastaldi 5 years ago
Podman requires --userns=keep-id to avoid AccessDeniedExceptions while building the native image According to the podman documentation: --userns=keep-id: creates a user namespace where th... — committed to luca-digrazia/DatasetCommitsDiffSearch by deleted user 2 years ago

Most upvoted comments

Yes that makes sense. Or drop the --user flag altogether to get the file owned by you.
Nice that we were able to get this to work.

rhatdan on Aug 21, 2019