podman: [Rootless container] sd-bus call: Permission denied: OCI runtime permission denied error
BUG REPORT
/kind bug
Description
Launching rootless container used to work, but doesn’t anymore, and I have no idea what changed since then. This errors shows up when I try to run a container without root permissions, it works great when launched as root.
Steps to reproduce the issue:
-
Running Ubuntu 18.04.4 LTS It happens on both (A) a VM running ubuntu desktop:
5.3.0-53-generic #47~18.04.1-Ubuntu SMP Thu May 7 13:10:50 UTC 2020 x86_64 x86_64 x86_64 GNU/Linuxand (B) another baremetal machine running ubuntu server:4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux -
Changed grub linux arguments to support the unified hierarchy:
GRUB_CMDLINE_LINUX="systemd.cgroup_unified_hierarchy=1 swapaccount=1"
-
Updated grub and rebooted
-
Running this command throws the error:
$ podman run --rm edvgui/alpine-hello-world
Error: sd-bus call: Permission denied: OCI runtime permission denied error
This image is built with Docker and works for non-rootless containers. It does nothing fancy, just execute /bin/echo "Hello World" in an Alpine container.
Describe the results you received:
The full output when executing the command with log-level=debug
$ podman --log-level debug run --rm edvgui/alpine-hello-world
DEBU[0000] Ignoring lipod.conf EventsLogger setting "journald". Use containers.conf if you want to change this setting and remove libpod.conf files.
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf"
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{{[] [] container-default [] private [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] [] [] [] [] false [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false private k8s-file -1 slirp4netns false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {true systemd [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] ctrl-p,ctrl-q true /run/user/1000/libpod/tmp/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /pause k8s.gcr.io/pause:3.2 /usr/libexec/podman/catatonit shm false 2048 /usr/local/bin/crun map[runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc] crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc]] missing [] [crun runc] [crun] {false false false false false false} false 3 /home/guillaume/.local/share/containers/storage/libpod 10 /run/user/1000/libpod/tmp /home/guillaume/.local/share/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}}
DEBU[0000] Reading configuration file "/etc/containers/containers.conf"
DEBU[0000] Merged system config "/etc/containers/containers.conf": &{{[] [] container-default [] private [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] [] [] [] [] false [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false private k8s-file -1 slirp4netns false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {true systemd [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] ctrl-p,ctrl-q true /run/user/1000/libpod/tmp/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /pause k8s.gcr.io/pause:3.2 /usr/libexec/podman/catatonit shm false 2048 /usr/local/bin/crun map[runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc] crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc]] missing [] [crun runc] [crun] {false false false false false false} false 3 /home/guillaume/.local/share/containers/storage/libpod 10 /run/user/1000/libpod/tmp /home/guillaume/.local/share/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}}
DEBU[0000] Using conmon: "/usr/libexec/podman/conmon"
DEBU[0000] Initializing boltdb state at /home/guillaume/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver vfs
DEBU[0000] Using graph root /home/guillaume/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /home/guillaume/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/guillaume/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] No store required. Not opening container store.
DEBU[0000] Initializing event backend file
DEBU[0000] using runtime "/usr/bin/runc"
DEBU[0000] using runtime "/usr/bin/crun"
DEBU[0000] using runtime "/usr/bin/kata-runtime"
DEBU[0000] using runtime "/usr/local/bin/crun"
INFO[0000] running as rootless
DEBU[0000] Ignoring lipod.conf EventsLogger setting "journald". Use containers.conf if you want to change this setting and remove libpod.conf files.
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf"
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{{[] [] container-default [] private [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] [] [] [] [] false [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false private k8s-file -1 slirp4netns false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {true systemd [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] ctrl-p,ctrl-q true /run/user/1000/libpod/tmp/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /pause k8s.gcr.io/pause:3.2 /usr/libexec/podman/catatonit shm false 2048 /usr/local/bin/crun map[runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc] crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc]] missing [] [crun runc] [crun] {false false false false false false} false 3 /home/guillaume/.local/share/containers/storage/libpod 10 /run/user/1000/libpod/tmp /home/guillaume/.local/share/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}}
DEBU[0000] Reading configuration file "/etc/containers/containers.conf"
DEBU[0000] Merged system config "/etc/containers/containers.conf": &{{[] [] container-default [] private [CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_CHROOT] [] [] [] [] [] false [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] false false false private k8s-file -1 slirp4netns false 2048 private /usr/share/containers/seccomp.json 65536k private host 65536} {true systemd [PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] [/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] ctrl-p,ctrl-q true /run/user/1000/libpod/tmp/events/events.log file [/usr/share/containers/oci/hooks.d] docker:// /pause k8s.gcr.io/pause:3.2 /usr/libexec/podman/catatonit shm false 2048 /usr/local/bin/crun map[kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc] crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun]] missing [] [crun runc] [crun] {false false false false false false} false 3 /home/guillaume/.local/share/containers/storage/libpod 10 /run/user/1000/libpod/tmp /home/guillaume/.local/share/containers/storage/volumes} {[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] podman /etc/cni/net.d/}}
DEBU[0000] Using conmon: "/usr/libexec/podman/conmon"
DEBU[0000] Initializing boltdb state at /home/guillaume/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver vfs
DEBU[0000] Using graph root /home/guillaume/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /home/guillaume/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/guillaume/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] [graphdriver] trying provided driver "vfs"
DEBU[0000] Initializing event backend file
DEBU[0000] using runtime "/usr/bin/runc"
DEBU[0000] using runtime "/usr/bin/crun"
DEBU[0000] using runtime "/usr/bin/kata-runtime"
DEBU[0000] using runtime "/usr/local/bin/crun"
DEBU[0000] parsed reference into "[vfs@/home/guillaume/.local/share/containers/storage+/run/user/1000/containers]docker.io/edvgui/alpine-hello-world:latest"
DEBU[0000] parsed reference into "[vfs@/home/guillaume/.local/share/containers/storage+/run/user/1000/containers]@8f567b66a9d1b7b0caf049c2f15dbde27e54edd767e986f38b6501d3216fa541"
DEBU[0000] exporting opaque data as blob "sha256:8f567b66a9d1b7b0caf049c2f15dbde27e54edd767e986f38b6501d3216fa541"
DEBU[0000] Using slirp4netns netmode
DEBU[0000] No hostname set; container's hostname will default to runtime default
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json"
DEBU[0000] created OCI spec and options for new container
DEBU[0000] Allocated lock 0 for container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09
DEBU[0000] parsed reference into "[vfs@/home/guillaume/.local/share/containers/storage+/run/user/1000/containers]@8f567b66a9d1b7b0caf049c2f15dbde27e54edd767e986f38b6501d3216fa541"
DEBU[0000] exporting opaque data as blob "sha256:8f567b66a9d1b7b0caf049c2f15dbde27e54edd767e986f38b6501d3216fa541"
DEBU[0000] created container "5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09"
DEBU[0000] container "5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09" has work directory "/home/guillaume/.local/share/containers/storage/vfs-containers/5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09/userdata"
DEBU[0000] container "5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09" has run directory "/run/user/1000/containers/vfs-containers/5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09/userdata"
DEBU[0000] New container created "5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09"
DEBU[0000] container "5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09" has CgroupParent "user.slice/user-1000.slice/user@1000.service/user.slice/libpod-5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09.scope"
DEBU[0000] Not attaching to stdin
DEBU[0000] mounted container "5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09" at "/home/guillaume/.local/share/containers/storage/vfs/dir/976ef4174995b79ba246486e585029199034d17b63fb82cbfaf0552878ea8c1f"
DEBU[0000] Created root filesystem for container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09 at /home/guillaume/.local/share/containers/storage/vfs/dir/976ef4174995b79ba246486e585029199034d17b63fb82cbfaf0552878ea8c1f
DEBU[0000] Made network namespace at /run/user/1000/netns/cni-cf935cfe-ba9a-c2ba-c387-153a921301e7 for container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09
DEBU[0000] slirp4netns command: /usr/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-cf935cfe-ba9a-c2ba-c387-153a921301e7 tap0
DEBU[0000] skipping loading default AppArmor profile (rootless mode)
INFO[0000] No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]
INFO[0000] IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode secret
DEBU[0000] Setting CGroups for container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09 to user.slice:libpod:5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d
DEBU[0000] Created OCI spec for container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09 at /home/guillaume/.local/share/containers/storage/vfs-containers/5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09/userdata/config.json
DEBU[0000] /usr/libexec/podman/conmon messages will be logged to syslog
DEBU[0000] running conmon: /usr/libexec/podman/conmon args="[--api-version 1 -s -c 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09 -u 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09 -r /usr/local/bin/crun -b /home/guillaume/.local/share/containers/storage/vfs-containers/5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09/userdata -p /run/user/1000/containers/vfs-containers/5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09/userdata/pidfile -l k8s-file:/home/guillaume/.local/share/containers/storage/vfs-containers/5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09/userdata/ctr.log --exit-dir /run/user/1000/libpod/tmp/exits --socket-dir-path /run/user/1000/libpod/tmp/socket --log-level debug --syslog --conmon-pidfile /run/user/1000/containers/vfs-containers/5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/guillaume/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --runtime --exit-command-arg /usr/local/bin/crun --exit-command-arg --storage-driver --exit-command-arg vfs --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09]"
INFO[0000] Running conmon under slice user.slice and unitName libpod-conmon-5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09.scope
[conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied
DEBU[0000] Received: -1
DEBU[0000] Cleaning up container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09
DEBU[0000] Tearing down network namespace at /run/user/1000/netns/cni-cf935cfe-ba9a-c2ba-c387-153a921301e7 for container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09
DEBU[0000] unmounted container "5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09"
DEBU[0000] Cleaning up container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09
DEBU[0000] Network is already cleaned up, skipping...
DEBU[0000] Container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09 storage is already unmounted, skipping...
DEBU[0000] Container 5b3e82bb35cefa0b363b3d1acd4d46456c4077fbddedf818b07a8e9fee5f7e09 storage is already unmounted, skipping...
DEBU[0000] ExitCode msg: "sd-bus call: permission denied: oci runtime permission denied error"
ERRO[0000] sd-bus call: Permission denied: OCI runtime permission denied error
Describe the results you expected:
It should simply print Hello World
$ podman run --rm edvgui/alpine-hello-world
Hello World
Additional information you deem important (e.g. issue happens only occasionally): Systemd version
$ systemd --version
systemd 237
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid
Mounted cgroup
$ mount | grep cgroup
cgroup on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)
Output of podman version:
Version: 1.9.2
RemoteAPI Version: 1
Go Version: go1.10.1
OS/Arch: linux/amd64
Output of podman info --debug:
Click to expand
debug:
compiler: gc
gitCommit: ""
goVersion: go1.10.1
podmanVersion: 1.9.2
host:
arch: amd64
buildahVersion: 1.14.8
cgroupVersion: v2
conmon:
package: 'conmon: /usr/libexec/podman/conmon'
path: /usr/libexec/podman/conmon
version: 'conmon version 2.0.16, commit: '
cpus: 4
distribution:
distribution: ubuntu
version: "18.04"
eventLogger: file
hostname: guillaume-vm
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.3.0-53-generic
memFree: 3443761152
memTotal: 8348545024
ociRuntime:
name: crun
package: Unknown
path: /usr/local/bin/crun
version: |-
crun version 0.13.123-bd74
commit: bd74c7802558cdb38bec8724a291c084a01a6b86
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
rootless: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: 'slirp4netns: /usr/bin/slirp4netns'
version: |-
slirp4netns version 0.4.3
commit: unknown
swapFree: 993239040
swapTotal: 993239040
uptime: 1h 30m 50.17s (Approximately 0.04 days)
registries:
search:
- docker.io
- quay.io
store:
configFile: /home/guillaume/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: vfs
graphOptions: {}
graphRoot: /home/guillaume/.local/share/containers/storage
graphStatus: {}
imageStore:
number: 1
runRoot: /run/user/1000/containers
volumePath: /home/guillaume/.local/share/containers/storage/volumes
Package info (e.g. output of rpm -q podman or apt list podman):
$ apt list podman
Listing... Done
podman/unknown,now 1.9.2~3 amd64 [installed]
Additional environment details (AWS, VirtualBox, physical, etc.): System A: VirtualBox Version 6.1.6 r137129 (Qt5.6.3) System B: Baremetal machine
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 28 (12 by maintainers)
Just for documentation: It is still a valid issue on Debian 10 with podman 2.0.4, cgroupv2 and systemd 241.
like @giuseppe already said:
Running with cgroupfs like
podman --cgroup-manager=cgroupfs run --rm -it alpineworks.mhm @rhatdan i’m only using cgroupv2 never used v1.
podman 1.9.4 worked fine using defaults
podman 2.0.6 stopped working using defaults but works with:
--cgroup-manager=cgroupfsso the issue is in the too old systemd and that there is no way of creating a cgroup while being in a user namespace.
Were you using cgroup v1 before?
Does it work if you use the cgroupfs driver for podman?
podman --cgroup-manager cgroupfs ...This just happened, and I got here in this comment. And running with
--cgroup-manager cgroupfsworks.