podman: pull: error setting new rlimits: operation not permitted

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Podman fails to pull an image from a local docker-distribution registry (in non-rootless environment).

Steps to reproduce the issue:

Deploy a docker-distribution registry and pull docker.io/tripleomaster/centos-binary-haproxy:current-tripleo.
Now try to pull the container from the registry to local with podman: podman pull --tls-verify=false 192.168.24.1:8787/tripleomaster/centos-binary-haproxy:current-tripleo

Describe the results you received:

Pull fails with error setting new rlimits: operation not permitted error.

Logs: http://logs.openstack.org/19/616019/23/check/tripleo-ci-centos-7-containers-multinode/5ad3bd8/logs/undercloud/home/zuul/overcloud_deploy.log.txt.gz#_2019-01-08_21_46_18

Describe the results you expected:

Pull should work, as it does fine with docker pull.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:       0.12.1.2
Go Version:    go1.10.2
OS/Arch:       linux/amd64

Output of podman info:

host:
  BuildahVersion: 1.6-dev
  Conmon:
    package: podman-0.12.1.2-2.git9551f6b.el7.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: 97d5f1232f62307696c8b4b2d430e8b771a45873-dirty'
  Distribution:
    distribution: '"centos"'
    version: "7"
  MemFree: 857681920
  MemTotal: 8364449792
  OCIRuntime:
    package: runc-1.0.0-57.dev.git2abd837.el7.centos.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.0'
  SwapFree: 4616089600
  SwapTotal: 8588881920
  arch: amd64
  cpus: 8
  hostname: undercloud.localdomain
  kernel: 3.10.0-957.1.3.el7.x86_64
  os: linux
  rootless: false
  uptime: 2h 3m 2.36s (Approximately 0.08 days)
insecure registries:
  registries:
  - 192.168.24.1:8787
  - 192.168.24.3:8787
registries:
  registries:
  - registry.centos.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  ContainerStore:
    number: 87
  GraphDriverName: overlay
  GraphOptions: null
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
  ImageStore:
    number: 74
  RunRoot: /var/run/containers/storage

Additional environment details (AWS, VirtualBox, physical, etc.): http://logs.openstack.org/19/616019/23/check/tripleo-ci-centos-7-containers-multinode/5ad3bd8/logs/undercloud/var/log/extra/podman/podman_allinfo.log.txt.gz

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 17 (17 by maintainers)

Commits related to this issue

podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE If we are not able to make arbitrary changes to the RLIMIT_NOFILE when lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum ... — committed to giuseppe/libpod by giuseppe 5 years ago
podman: bump RLIMIT_NOFILE also without CAP_SYS_RESOURCE If we are not able to make arbitrary changes to the RLIMIT_NOFILE when lacking CAP_SYS_RESOURCE, don't fail but bump the limit to the maximum ... — committed to giuseppe/libpod by giuseppe 5 years ago

Most upvoted comments

We might want to keep if !rootless.IsRootless() condition, right? Otherwise lgtm.

no, it will work with rootless mode as well, an unprivileged process can still bump its rlimits to max.

Opened a PR here: https://github.com/containers/libpod/pull/2126

giuseppe on Jan 10, 2019