podman: Error running container in container created by podman

/kind bug

Description

After creating a container with podman, running the container with buildah in the container will fail, but after I created the container with docker, I can run the container successfully.

Steps to reproduce the issue:

1.Start the container with podman

⚡ root@localhost  podman run -it --rm --cap-add=SYS_ADMIN --security-opt seccomp=unconfined 5619d44119b4 /bin/bash
  1. Run the container using buildah inside the container.
root@4783ab8723ea:/# buildah bud --isolation chroot .

Describe the results you received:

STEP 1: FROM busybox                                                                                                                                                                    
Getting image source signatures                                                                                                                                                         
Copying blob sha256:697743189b6d255069caf6c455be10c7f8cae8076c6f94d224ae15cd41420e87
 738.18 KiB / 738.18 KiB [==================================================] 3s
Copying config sha256:d8233ab899d419c58cf3634c0df54ff5d8acc28f8173f09c21df4a07229e1205
 1.46 KiB / 1.46 KiB [======================================================] 0s
Writing manifest to image destination
Storing signatures
STEP 2: RUN "ls"
error running subprocess: error bind mounting /sys from host into mount namespace: permission denied
                                                                                                    error building at step {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin$
/sbin:/bin] Command:run Args:["ls"] Flags:[] Attrs:map[] Message:RUN "ls" Original:RUN "ls"}: exit status 1

Describe the results you expected: It can run successfully like using docker.

⚡ root@localhost  docker run -it --rm --cap-add=SYS_ADMIN --security-opt seccomp=unconfined 5619d44119b4 /bin/bash
root@9678ff5c09be:/# buildah bud --isolation chroot .
STEP 1: FROM busybox
STEP 2: RUN "ls"
bin   dev   etc   home  proc  root  sys   tmp   usr   var
STEP 3: COMMIT containers-storage:[vfs@/var/lib/containers/storage+/var/run/containers/storage:vfs.override_kernel_check=true]@
b132099ac11497602b8805d630d33e1e50a7308ff64721fa38a8e2f84ad0a79e
Getting image source signatures
Skipping fetch of repeat blob sha256:adab5d09ba79ecf30d3a5af58394b23a447eda7ffffe16c500ddc5ccb4c0222f
Copying blob sha256:6cc6e74a6528af539095c73cc6ff18d2c84aed749987d100c6ce3b8b495c8887
 180 B / 180 B [============================================================] 0s
Copying config sha256:35bdae93cbfab4c95c85ae7efcda66025b671bccbe59b8a2b84466b85eebc1ff
 694 B / 694 B [============================================================] 0s
Writing manifest to image destination
Storing signatures
--> b132099ac11497602b8805d630d33e1e50a7308ff64721fa38a8e2f84ad0a79e
root@9678ff5c09be:/#

Output of podman version:

Version:            1.0.1-dev
RemoteAPI Version:  1
Go Version:         go1.11.5
Git Commit:         3b88c7350726f5a019f989a1ab7e5046917f2f79
Built:              Fri Feb 22 03:14:01 2019
OS/Arch:            linux/amd64

Output of podman info:

host:                                                                                                                                                                                   
  BuildahVersion: 1.7-dev                                                                                                                                                               
  Conmon:                                                                                                                                                                               
    package: Unknown                                                                                                                                                                    
    path: /usr/libexec/podman/conmon                                                                                                                                                    
    version: 'conmon version 1.14.0-dev, commit: d89cc410f42f2ce9cd061b0db24417108f2794fe'                                                                                              
  Distribution:                                                                                                                                                                         
    distribution: '"centos"'                                                                                                                                                            
    version: "7"                                                                                                                                                                        
  MemFree: 1174769664                                                                                                                                                                   
  MemTotal: 2090246144                                                                                                                                                                  
  OCIRuntime:                                                                                                                                                                           
    package: containerd.io-1.2.2-3.3.el7.x86_64                                                                                                                                         
    path: /usr/sbin/runc                                                                                                                                                                
    version: |-                                                                                                                                                                         
      runc version 1.0.0-rc6+dev                                                                                                                                                        
      commit: 09c8266bf2fcf9519a651b04ae54c967b9ab86ec                                                                                                                                  
      spec: 1.0.1-dev   
  SwapFree: 2140127232
  SwapTotal: 2147479552
  arch: amd64
  cpus: 1
  hostname: localhost.localdomain
  kernel: 4.20.11-1.el7.elrepo.x86_64
  os: linux
  rootless: false
  uptime: 13m 55.7s
insecure registries:
  registries: []
registries:
  registries:
  - registry.access.redhat.com
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 1
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  ImageStore:
    number: 1
  RunRoot: /var/run/containers/storage

Tips: The same error can occur with the latest version of buildah.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 36 (25 by maintainers)

Most upvoted comments

Any chance this is an SELinux issue?

Could you try it setenforce 0

If it is, could you grab the SELinux error messages

ausearch -m AVC -ts recent

+1
rhatdan on Feb 23, 2019
Read more comments on GitHub
← podman: error running container: error from /usr/bin/crun creating container for [/bin/sh -c pip install -r requirements.txt]: mount `/proc` to `/proc`: Operation not permitted
podman: Error: setrlimit `RLIMIT_NOFILE`: Invalid argument: OCI runtime error →