podman: Error: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

Hi, I am getting this error with latest podman my podman info is:

~ sudo podman info                     
host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers:
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.0.29-1
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: 7e6de6678f6ed8a18661e1d5721b81ccee293b9b'
  cpus: 12
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: ophion
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.10.45-1-lts
  linkmode: dynamic
  memFree: 7517126656
  memTotal: 8102539264
  ociRuntime:
    name: runc
    package: /usr/bin/runc is owned by runc 1.0.0rc95-1
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc95
      commit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
      spec: 1.0.2-dev
      go: go1.16.4
      libseccomp: 2.5.1
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 7999582208
  swapTotal: 7999582208
  uptime: 9m 24.03s
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageStore:
    number: 15
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.2.1
  Built: 1623927305
  BuiltTime: Thu Jun 17 11:55:05 2021
  GitCommit: 152952fe6b18581615c3efd1fafef2d8142738e8
  GoVersion: go1.16.5
  OsArch: linux/amd64
  Version: 3.2.1

downgrading containers-common from 0.40.0-1 to 0.39.0-3 fixes the issue

thanks

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 4
  • Comments: 16 (6 by maintainers)

Commits related to this issue

Most upvoted comments

@cevich Well, we have a report of this in the wild now.

@jxs Workaround for now is to use crun instead of runc as your OCI runtime. We’re seeing this in our CI and are trying to chase down the exact cause.

+9
mheon on Jun 20, 2021

Closing this as the root cause issue has also been closed. To be clear, the fix is podman 2.3.1 (or later) plus either:

  • Use crun
  • Use runc 1.0.0 (released 23rd June)
+3
cevich on Jun 28, 2021

Closing this as the root cause issue has also been closed. To be clear, the fix is podman 2.3.1 (or later) plus either:

  • Use crun
  • Use runc 1.0.0 (released 23rd June)

I run podman 3.3.1 on Gentoo, and with runc 1.0.0 I stumbled on this same error. I installed crun 0.19.1 (latest in Gentoo), and the problem “went away”.

+2
tsjk on Oct 3, 2021

You can change this by default in /etc/containers/containers.conf

+2
rhatdan on Jun 22, 2021

Thanks @mheon.

podman --runtime /usr/bin/crun run worked for me (after installing crun)

+2
captn3m0 on Jun 22, 2021
Read more comments on GitHub
← podman: Error: cannot setup namespace using newuidmap: exit status 1
podman: Error: could not get runtime: operation not permitted with stable podman image →