podman: Compose not working after upgrade to 4.6.2
Issue Description
After upgrading to podman 4.6.2 I cannot use docker-compose anymore to launch any containers. Launching containers using podman run works fine however.
Steps to reproduce the issue
Steps to reproduce the issue
- Create a simple compose file like this:
version: "3"
services:
app:
image: nginx:alpine
- Ensure podman socket is exported and activated:
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
systemctl --user enable --now podman.socket
- Run docker-compose up
Describe the results you received
The following error occurs:
Error response from daemon: crun: [conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied
write to `/proc/self/oom_score_adj`: Permission denied: OCI permission denied
Describe the results you expected
Should just spawn an nginx image. This still works by running podman run --rm nginx:alpine
podman info output
host:
arch: amd64
buildahVersion: 1.31.2
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.7-2.fc38.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.7, commit: '
cpuUtilization:
idlePercent: 92.62
systemPercent: 2.15
userPercent: 5.23
cpus: 8
databaseBackend: boltdb
distribution:
distribution: fedora
variant: silverblue
version: "38"
eventLogger: journald
freeLocks: 2042
hostname: spectre
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 524288
size: 65536
kernel: 6.4.14-200.fc38.x86_64
linkmode: dynamic
logDriver: journald
memFree: 322568192
memTotal: 7916376064
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.7.0-1.fc38.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.7.0
package: netavark-1.7.0-1.fc38.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.7.0
ociRuntime:
name: crun
package: crun-1.9-1.fc38.x86_64
path: /usr/bin/crun
version: |-
crun version 1.9
commit: a538ac4ea1ff319bcfe2bf81cb5c6f687e2dc9d3
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20230823.ga7e4bfb-1.fc38.x86_64
version: |
pasta 0^20230823.ga7e4bfb-1.fc38.x86_64
Copyright Red Hat
GNU Affero GPL version 3 or later <https://www.gnu.org/licenses/agpl-3.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.1-1.fc38.x86_64
version: |-
slirp4netns version 1.2.1
commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 7821848576
swapTotal: 7915696128
uptime: 1h 0m 17.00s (Approximately 0.04 days)
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /var/home/philipp/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 0
stopped: 1
graphDriverName: overlay
graphOptions: {}
graphRoot: /var/home/philipp/.local/share/containers/storage
graphRootAllocated: 998483427328
graphRootUsed: 230994952192
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1
runRoot: /run/user/1000/containers
transientStore: false
volumePath: /var/home/philipp/.local/share/containers/storage/volumes
version:
APIVersion: 4.6.2
Built: 1693251588
BuiltTime: Mon Aug 28 21:39:48 2023
GitCommit: ""
GoVersion: go1.20.7
Os: linux
OsArch: linux/amd64
Version: 4.6.2
### Podman in a container
No
### Privileged Or Rootless
Rootless
### Upstream Latest Release
Yes
### Additional environment details
I already ran `podman system migrate`, `podman system reset` and `rm -rf ~/.local/share/containers`, none of which had any impact
Docker Compose version v2.17.2
### Additional information
_No response_About this issue
- Original URL
- State: closed
- Created 10 months ago
- Reactions: 12
- Comments: 31 (14 by maintainers)
Commits related to this issue
- Remove podman workaround This has been fixed in podman 4.7.0 https://github.com/containers/podman/issues/19930#issuecomment-1737456096 — committed to SoMuchForSubtlety/main by SoMuchForSubtlety 9 months ago
- Again tweak detection of when an image doesn't exist. Let's see if this fragile nonsense breaks again. What was here though was hiding containers/podman#19930 (i.e. a real 500 error coming from a po... — committed to bowtie-json-schema/bowtie by Julian 9 months ago
Thanks @Luap99 @giuseppe, I rolled back to a previous ostree state using crun 1.8.7 which fixed the issue. Looking forward to podman 4.6.3 being released 😄
Found this:
https://fedoraproject.org/coreos/release-notes/?arch=x86_64&stream=stable
Had to manually download the old image using url hacking because there doesn’t seem to be links from the release notes pages.
That worked! 🎉
Freaking love the simplicity of podman. Even with obscure error messages like the one thrown, wasn’t so bad to dig into the issue and find out how to fix it. Great work team!
Maybe sometime I’ll learn rpm-ostree, but I’ll save that for a later date. 😃
~Hopefully I don’t have to worry about auto-updates?~. Of course it updated before I finished writing the comment…
Time to try again. Raced podman machine init with podman machine ssh then ran this when I got a shell:
Seems to have worked 🤞.
Podman 4.7.0 is releasing today with a fix allowing the most recent crun version to be used. Closing as such.
@Rtapy you can run
sudo dnf downgrade crunFYI this is still an issue with podman 4.7 and fedora-coreos-38.20230918.2.0-qemu.x86_64.qcow2.xz.
Recreating a machine with stable works:
I also upgraded to Podman 4.7.0 and am still receiving the
crun: [common.d] failed to write to /proc/self/oom_score_adj: Permission deniederror.As stated above you need v4.7 on the server side, you can check with
podman version.Hi! I’m using podman with podman machine on MacOS. Trying to figure out the right way to rollback crun.
The default machine is Fedora CoreOS (maybe this can be swapped, but like to keep things as vanilla as possible).
I haven’t used CoreOS much at all since I prefer for this stuff to be transparent, but I looked at the docs for rolling back the image and found this command, but there’s nothing to rollback to.
Found via: https://docs.fedoraproject.org/en-US/fedora-coreos/auto-updates/#_manual_rollbacks
Any recommendations for a workaround on MacOS?
I also tried downgrading podman and resetting the machine but the image appears to have the new engine installed anyway. Maybe theres a way I can specify which image version I want to download with podman? I haven’t found that yet.
For Fedora 38, you can install crun 1.8.7 with:
This is the debug log of
docker-compose startfor the given compose file. Only suspicious message I encountered (except of the previously mentioned messages) is theReceived: -1after the netavark setupI can reproduce on fedora 38 with
podmanversion 4.6.2 anddocker-composeversion 2.20.3