podman: error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount `/proc` to `/proc`: Operation not permitted

Hi Team,

I have created a running rootless openshift container using a Dockerfile. I followed below link for creating Rootless Podman without the privileged flag. I’m able to build java spring application but when I try to build python application using Dockerfile that has pip install then I’m getting below error. Can you please let us know what else config required to resolve below error?

https://www.redhat.com/sysadmin/podman-inside-kubernetes

error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount /proc to /proc: Operation not permitted

1. • If there is a “pip install” command in a Dockerfile, then Podman build fails with error " mount /proc to /proc: Operation not permitted"
2. • Podman build creates docker image, if Dockerfile does not have “pip install” command

podman --version :: podman version 3.2.2

podman info ::

host: arch: amd64 buildahVersion: 1.21.0 cgroupControllers: [] cgroupManager: cgroupfs cgroupVersion: v1 conmon: package: conmon-2.0.27-2.fc34.x86_64 path: /usr/bin/conmon version: 'conmon version 2.0.27, commit: ’ cpus: 12 distribution: distribution: fedora version: “34” eventLogger: file hostname: cliservice-7dff79cbd7-n7krd idMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 10000 size: 5000 uidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 10000 size: 5000 kernel: 4.18.0-240.22.1.el8_3.x86_64 linkmode: dynamic memFree: 55972347904 memTotal: 67230187520 ociRuntime: name: crun package: crun-0.20.1-1.fc34.x86_64 path: /usr/bin/crun version: |- crun version 0.20.1 commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL os: linux remoteSocket: path: /tmp/podman-run-1000/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: false serviceIsRemote: false slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.1.9-1.fc34.x86_64 version: |- slirp4netns version 1.1.8+dev commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876 libslirp: 4.4.0 SLIRP_CONFIG_VERSION_MAX: 3 libseccomp: 2.5.0 swapFree: 0 swapTotal: 0 uptime: 21h 24m 42.97s (Approximately 0.88 days) registries: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com: Blocked: false Insecure: true Location: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com MirrorByDigestOnly: false Mirrors: [] Prefix: default-route-openshift-image-registry.apps.cfa.devcloud.intel.com quay.io: Blocked: false Insecure: true Location: quay.io MirrorByDigestOnly: false Mirrors: [] Prefix: quay.io search:

• registry.fedoraproject.org
• registry.access.redhat.com
• registry.centos.org
• docker.io
• quay.io store: configFile: /home/podman/.config/containers/storage.conf containerStore: number: 0 paused: 0 running: 0 stopped: 0 graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs Package: fuse-overlayfs-1.5.0-1.fc34.x86_64 Version: |- fusermount3 version: 3.10.4 fuse-overlayfs: version 1.5 FUSE library version 3.10.4 using FUSE kernel interface version 7.31 graphRoot: /home/podman/.local/share/containers/storage graphStatus: Backing Filesystem: overlayfs Native Overlay Diff: “false” Supports d_type: “true” Using metacopy: “false” imageStore: number: 5 runRoot: /tmp/podman-run-1000/containers volumePath: /home/podman/.local/share/containers/storage/volumes version: APIVersion: 3.2.2 Built: 1624664959 BuiltTime: Fri Jun 25 23:49:19 2021 GitCommit: “” GoVersion: go1.16.4 OsArch: linux/amd64 Version: 3.2.2

------------------------------------------------------Dockerfile- Start-------------------------------------------

FROM quay.io/podman/stable:latest

RUN touch /etc/subgid /etc/subuid
&& chmod g=u /etc/subgid /etc/subuid /etc/passwd
&& echo podman:10000:5000 > /etc/subuid
&& echo podman:10000:5000 > /etc/subgid

RUN yum install -y
python3-pip
python3 python3-wheel
git
java-11-openjdk.x86_64

RUN pip install jupyterlab

ARG MAVEN_VERSION=3.8.1 ARG BASE_URL=https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries

RUN mkdir -p /usr/share/maven /usr/share/maven/ref
&& curl -fsSL -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz
&& tar -xzf /tmp/apache-maven.tar.gz -C /usr/share/maven --strip-components=1
&& rm -f /tmp/apache-maven.tar.gz
&& ln -s /usr/share/maven/bin/mvn /usr/bin/mvn
&& yum install wget -y
&& yum install unzip -y
&& wget -q https://services.gradle.org/distributions/gradle-3.3-bin.zip
&& unzip gradle-3.3-bin.zip -d /opt
&& rm gradle-3.3-bin.zip

ENV JAVA_HOME /usr/lib/jvm/jre-11-openjdk/ ENV MAVEN_HOME /usr/share/maven ENV GRADLE_HOME /opt/gradle-3.3 ENV PATH $PATH:/opt/gradle-3.3/bin

COPY registries.conf /etc/containers/ COPY login-script.sh /etc/containers/ RUN chmod -R 777 /etc/containers/login-script.sh USER podman

WORKDIR /data

ENTRYPOINT [“/etc/containers/login-script.sh”]

-------------------------------------------Dockerfile End-------------------------------------------