podman: Error: create keyring `xxx`: Operation not permitted: OCI permission denied

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

Describe the results you received: I tried to run a container with

podman --cgroup-manager=cgroupfs --events-backend=file run  --privileged=True --volume /sys/fs/cgroup:/sys/fs/cgroup:rw --net=host -it fedora bash

but got the error message as below

test@6c98f7e61e9c:~$ podman --cgroup-manager=cgroupfs --events-backend=file run  --privileged=True --volume /sys/fs/cgroup:/sys/fs/cgroup:rw --net=host -it fedora bash
WARN[0000] Failed to detect the owner for the current cgroup: stat /sys/fs/cgroup/systemd/docker/6c98f7e61e9c480651ad888360f2fb3dfdd8f9913ab1bff29efb21f98671555c: no such file or directory 
Error: create keyring `d37b8acea00baa9f1975619c6a29a0fd6b185bf52ae3e080b984b5ed689e0809`: Operation not permitted: OCI permission denied

Describe the results you expected: run the podman correctly

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

test@6c98f7e61e9c:~$ podman version
WARN[0000] Failed to detect the owner for the current cgroup: stat /sys/fs/cgroup/systemd/docker/6c98f7e61e9c480651ad888360f2fb3dfdd8f9913ab1bff29efb21f98671555c: no such file or directory 
Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.15.2
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

test@6c98f7e61e9c:~$ podman info --debug
WARN[0000] Failed to detect the owner for the current cgroup: stat /sys/fs/cgroup/systemd/docker/6c98f7e61e9c480651ad888360f2fb3dfdd8f9913ab1bff29efb21f98671555c: no such file or directory 
host:
  arch: amd64
  buildahVersion: 1.19.4
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: 'conmon: /usr/libexec/podman/conmon'
    path: /usr/libexec/podman/conmon
    version: 'conmon version 2.0.27, commit: '
  cpus: 2
  distribution:
    distribution: ubuntu
    version: "18.04"
  eventLogger: journald
  hostname: 6c98f7e61e9c
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.4.104+
  linkmode: dynamic
  memFree: 148631552
  memTotal: 13624696832
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.18.1-7931a-dirty
      commit: 7931a1eab0590eff4041c1f74e2844b297c31cea
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.1.8
      commit: unknown
      libslirp: 4.3.1-git
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.3.1
  swapFree: 0
  swapTotal: 0
  uptime: 1h 20m 52.11s (Approximately 0.04 days)
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /home/test/.config/containers/storage.conf
  containerStore:
    number: 5
    paused: 0
    running: 0
    stopped: 5
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /home/test/.local/share/containers/storage
  graphStatus: {}
  imageStore:
    number: 1
  runRoot: /tmp/podman-run-1000/containers
  volumePath: /home/test/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.15.2
  OsArch: linux/amd64
  Version: 3.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

test@6c98f7e61e9c:~$ apt list podman
Listing... Done
podman/unknown,now 100:3.0.1-2 amd64 [installed]

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

test@6c98f7e61e9c:~$ cat /proc/version
Linux version 5.4.104+ (builder@81cc40d87d7b) (Chromium OS 12.0_pre408248_p20201125-r7 clang version 12.0.0 (/var/tmp/portage/sys-devel/llvm-12.0_pre408248_p20201125-r7/work/llvm-12.0_pre408248_p20201125/clang f402e682d0ef5598eeffc9a21a691b03e602ff58)) #1 SMP Sat Jun 5 09:50:34 PDT 2021

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 26 (11 by maintainers)

Most upvoted comments

Thanks for comments in this issue and the blog post from https://ntk.me/2021/05/14/podman-in-crostini/ I got podman to work on ChomeOS 94 inside a bulleye container. Here are the steps I used:

  1. connect to the host container with ‘vsh termina’ then run:
  2. lxc config set penguin security.nesting true
  3. lxc restart penguin
  4. lxc exec penguin – /bin/sh -c “printf ‘%s\n’ ‘1000:100000:65536’ | tee /etc/subuid /etc/subgid”
  5. inside the penguin container, create a /etc/containers/containers.conf with:
[containers]
keyring=false

It works:

$ podman run --rm -it alpine
/ #
+4
lzhang10 on Oct 19, 2021
Read more comments on GitHub
← podman: Error: could not get runtime: operation not permitted with stable podman image
podman: error creating libpod runtime: there might not be enough IDs available in the namespace →