podman: Root/rootless Error: OCI runtime error: container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Steps to reproduce the issue:
- From the documentation I follow the next steps to install/update podman
sudo dnf -y module disable container-tools sudo dnf -y install ‘dnf-command(copr)’ sudo dnf -y copr enable rhcontainerbot/container-selinux sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8_Stream/devel:kubic:libcontainers:stable.repo sudo dnf -y install podman
-
podman run -it --rm --name alpine2 alpine Error: OCI runtime error: container_linux.go:349: starting container process caused “error adding seccomp rule for syscall socket: requested action matches default action of filter”
-
sudo podman run -it --rm --name alpine2 alpine Error: OCI runtime error: container_linux.go:349: starting container process caused “error adding seccomp rule for syscall socket: requested action matches default action of filter”
Describe the results you received: The container does not run because I think is a cgroups problem or seccomp problem with the compiled version.
Here it is the debug output
$ podman --log-level debug run -it --rm --name alpine2 alpine
INFO[0000] podman filtering at log level debug
DEBU[0000] Called run.PersistentPreRunE(podman --log-level debug run -it --rm --name alpine2 alpine)
DEBU[0000] Reading configuration file "/usr/share/containers/containers.conf"
DEBU[0000] Merged system config "/usr/share/containers/containers.conf": &{Containers:{Devices:[] Volumes:[] ApparmorProfile:containers-default-0.29.0 Annotations:[] CgroupNS:host Cgroups:enabled DefaultCapabilities:[CHOWN DAC_OVERRIDE FOWNER FSETID KILL NET_BIND_SERVICE SETFCAP SETGID SETPCAP SETUID SYS_CHROOT] DefaultSysctls:[net.ipv4.ping_group_range=0 0] DefaultUlimits:[] DefaultMountsFile: DNSServers:[] DNSOptions:[] DNSSearches:[] EnableKeyring:true EnableLabeling:false Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin TERM=xterm] EnvHost:false HTTPProxy:false Init:false InitPath: IPCNS:private LogDriver:k8s-file LogSizeMax:-1 NetNS:slirp4netns NoHosts:false PidsLimit:2048 PidNS:private SeccompProfile:/usr/share/containers/seccomp.json ShmSize:65536k TZ: Umask:0022 UTSNS:private UserNS:host UserNSSize:65536} Engine:{ImageBuildFormat:oci CgroupCheck:false CgroupManager:cgroupfs ConmonEnvVars:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] ConmonPath:[/usr/libexec/podman/conmon /usr/local/libexec/podman/conmon /usr/local/lib/podman/conmon /usr/bin/conmon /usr/sbin/conmon /usr/local/bin/conmon /usr/local/sbin/conmon /run/current-system/sw/bin/conmon] DetachKeys:ctrl-p,ctrl-q EnablePortReservation:true Env:[] EventsLogFilePath:/run/user/1000/libpod/tmp/events/events.log EventsLogger:journald HooksDir:[/usr/share/containers/oci/hooks.d] ImageDefaultTransport:docker:// InfraCommand: InfraImage:k8s.gcr.io/pause:3.2 InitPath:/usr/libexec/podman/catatonit LockType:shm MultiImageArchive:false Namespace: NetworkCmdPath: NoPivotRoot:false NumLocks:2048 OCIRuntime:runc OCIRuntimes:map[crun:[/usr/bin/crun /usr/sbin/crun /usr/local/bin/crun /usr/local/sbin/crun /sbin/crun /bin/crun /run/current-system/sw/bin/crun] kata:[/usr/bin/kata-runtime /usr/sbin/kata-runtime /usr/local/bin/kata-runtime /usr/local/sbin/kata-runtime /sbin/kata-runtime /bin/kata-runtime /usr/bin/kata-qemu /usr/bin/kata-fc] runc:[/usr/bin/runc /usr/sbin/runc /usr/local/bin/runc /usr/local/sbin/runc /sbin/runc /bin/runc /usr/lib/cri-o-runc/sbin/runc /run/current-system/sw/bin/runc]] PullPolicy:missing Remote:false RemoteURI: RemoteIdentity: ActiveService: ServiceDestinations:map[] RuntimePath:[] RuntimeSupportsJSON:[crun runc] RuntimeSupportsNoCgroups:[crun] RuntimeSupportsKVM:[kata kata-runtime kata-qemu kata-fc] SetOptions:{StorageConfigRunRootSet:false StorageConfigGraphRootSet:false StorageConfigGraphDriverNameSet:false StaticDirSet:false VolumePathSet:false TmpDirSet:false} SignaturePolicyPath:/etc/containers/policy.json SDNotify:false StateType:3 StaticDir:/home/cloud/.local/share/containers/storage/libpod StopTimeout:10 TmpDir:/run/user/1000/libpod/tmp VolumePath:/home/cloud/.local/share/containers/storage/volumes} Network:{CNIPluginDirs:[/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin] DefaultNetwork:podman NetworkConfigDir:/home/cloud/.config/cni/net.d}}
DEBU[0000] Using conmon: "/usr/bin/conmon"
DEBU[0000] Initializing boltdb state at /home/cloud/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/cloud/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /home/cloud/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /home/cloud/.local/share/containers/storage/volumes
DEBU[0000] Set libpod namespace to ""
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] overlay: mount_program=/usr/bin/fuse-overlayfs
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false
DEBU[0000] Initializing event backend journald
DEBU[0000] using runtime "/usr/bin/runc"
WARN[0000] Error initializing configured OCI runtime crun: no valid executable found for OCI runtime crun: invalid argument
WARN[0000] Error initializing configured OCI runtime kata: no valid executable found for OCI runtime kata: invalid argument
INFO[0000] Setting parallel job count to 7
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/shortnames.conf"
DEBU[0000] parsed reference into "[overlay@/home/cloud/.local/share/containers/storage+/run/user/1000/containers:overlay.mount_program=/usr/bin/fuse-overlayfs]@d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] exporting opaque data as blob "sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] parsed reference into "[overlay@/home/cloud/.local/share/containers/storage+/run/user/1000/containers:overlay.mount_program=/usr/bin/fuse-overlayfs]@d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] exporting opaque data as blob "sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] using systemd mode: false
DEBU[0000] setting container name alpine2
DEBU[0000] No hostname set; container's hostname will default to runtime default
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json"
DEBU[0000] Allocated lock 0 for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] parsed reference into "[overlay@/home/cloud/.local/share/containers/storage+/run/user/1000/containers:overlay.mount_program=/usr/bin/fuse-overlayfs]@d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] exporting opaque data as blob "sha256:d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0"
DEBU[0000] created container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb"
DEBU[0000] container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb" has work directory "/home/cloud/.local/share/containers/storage/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata"
DEBU[0000] container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb" has run directory "/run/user/1000/containers/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata"
DEBU[0000] Handling terminal attach
DEBU[0000] overlay: mount_data=lowerdir=/home/cloud/.local/share/containers/storage/overlay/l/LXWXXVXZTMKX3KSZEJHXNWEW2K,upperdir=/home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/diff,workdir=/home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/work
DEBU[0000] Made network namespace at /run/user/1000/netns/cni-a27b19fb-8174-0100-6475-a176b147f45d for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] mounted container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb" at "/home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/merged"
DEBU[0000] slirp4netns command: /usr/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-a27b19fb-8174-0100-6475-a176b147f45d tap0
DEBU[0000] Created root filesystem for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb at /home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/merged
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode secret
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d
DEBU[0000] Created OCI spec for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb at /home/cloud/.local/share/containers/storage/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata/config.json
DEBU[0000] /usr/bin/conmon messages will be logged to syslog
DEBU[0000] running conmon: /usr/bin/conmon args="[--api-version 1 -c bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb -u bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb -r /usr/bin/runc -b /home/cloud/.local/share/containers/storage/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata -p /run/user/1000/containers/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata/pidfile -n alpine2 --exit-dir /run/user/1000/libpod/tmp/exits --socket-dir-path /run/user/1000/libpod/tmp/socket -l k8s-file:/home/cloud/.local/share/containers/storage/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata/ctr.log --log-level debug --syslog -t --conmon-pidfile /run/user/1000/containers/overlay-containers/bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/cloud/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --runtime --exit-command-arg runc --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --storage-opt --exit-command-arg overlay.mount_program=/usr/bin/fuse-overlayfs --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg --syslog --exit-command-arg true --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb]"
WARN[0000] Failed to add conmon to cgroupfs sandbox cgroup: error creating cgroup for blkio: mkdir /sys/fs/cgroup/blkio/libpod_parent: permission denied
DEBU[0000] Received: -1
DEBU[0000] Cleaning up container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Tearing down network namespace at /run/user/1000/netns/cni-a27b19fb-8174-0100-6475-a176b147f45d for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Error unmounting /home/cloud/.local/share/containers/storage/overlay/9d060ecd9149f77d9325b2a341b1f8ddd19b4e206b15cc50c5f2b18d8f38d4d5/merged with fusermount3 - exec: "fusermount3": executable file not found in $PATH
DEBU[0000] unmounted container "bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb"
DEBU[0000] Removing container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Removing all exec sessions for container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Cleaning up container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb
DEBU[0000] Network is already cleaned up, skipping...
DEBU[0000] Container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb storage is already unmounted, skipping...
DEBU[0000] Container bac8d9f51bf7a6546539530680629a4d8d0696d4d1014ebe2f7b8ceea4910ffb storage is already unmounted, skipping...
DEBU[0000] ExitCode msg: "time=\"2020-11-25t00:51:14-04:00\" level=error msg=\"container_linux.go:349: starting container process caused \\\"error adding seccomp rule for syscall socket: requested action matches default action of filter\\\"\"\ncontainer_linux.go:349: starting container process caused \"error adding seccomp rule for syscall socket: requested action matches default action of filter\": oci runtime error"
Error: OCI runtime error: time="2020-11-25T00:51:14-04:00" level=error msg="container_linux.go:349: starting container process caused \"error adding seccomp rule for syscall socket: requested action matches default action of filter\""
container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter"
Describe the results you expected: It will run withaout any problem as it does in fedora.
Additional information you deem important (e.g. issue happens only occasionally):
Output of podman version:
podman version
Version: 2.2.0-rc2
API Version: 2.1.0
Go Version: go1.13.15
Built: Tue Nov 24 09:13:57 2020
OS/Arch: linux/amd64
Output of podman info --debug:
host:
arch: amd64
buildahVersion: 1.18.0
cgroupManager: cgroupfs
cgroupVersion: v1
conmon:
package: conmon-2.0.21-1.el8.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.0.21, commit: 8c7a48ca7c926e747381f0c9c4cd294554a6f831-dirty'
cpus: 2
distribution:
distribution: '"centos"'
version: "8"
eventLogger: journald
hostname: test
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 4.18.0-193.28.1.el8_2.x86_64
linkmode: dynamic
memFree: 1227288576
memTotal: 3961745408
ociRuntime:
name: runc
package: runc-1.0.0-65.rc10.module_el8.2.0+305+5e198a41.x86_64
path: /usr/bin/runc
version: 'runc version spec: 1.0.1-dev'
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
rootless: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-0.4.2-3.git21fdece.module_el8.2.0+305+5e198a41.x86_64
version: |-
slirp4netns version 0.4.2+dev
commit: 21fdece2737dc24ffa3f01a341b8a6854f8b13b4
swapFree: 4265603072
swapTotal: 4265603072
uptime: 33m 27.38s
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- registry.centos.org
- docker.io
store:
configFile: /home/cloud/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions:
overlay.mount_program:
Executable: /usr/bin/fuse-overlayfs
Package: fuse-overlayfs-0.7.2-5.module_el8.2.0+305+5e198a41.x86_64
Version: |-
fuse-overlayfs: version 0.7.2
FUSE library version 3.2.1
using FUSE kernel interface version 7.26
graphRoot: /home/cloud/.local/share/containers/storage
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 2
runRoot: /run/user/1000/containers
volumePath: /home/cloud/.local/share/containers/storage/volumes
version:
APIVersion: 2.1.0
Built: 1606223637
BuiltTime: Tue Nov 24 09:13:57 2020
GitCommit: ""
GoVersion: go1.13.15
OsArch: linux/amd64
Version: 2.2.0-rc2
Package info (e.g. output of rpm -q podman or apt list podman):
podman-2.2.0-0.6.rc2.el8.x86_64
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
VMware VM
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 17 (5 by maintainers)
Commits related to this issue
- fix for podman in centos after upgrade to newest version and update runc, https://github.com/containers/podman/issues/8472 — committed to ricardo-rod/podman.io by ricardo-rod 4 years ago
- fix for podman in centos after upgrade to newest version and update runc, https://github.com/containers/podman/issues/8472 (#318) — committed to containers/podman.io_old by ricardo-rod 4 years ago
- Update runc to 1.0.0_rc92 Summary: Update runc to 1.0.0_rc92 The purpose of this update is mostly to make sure that new version of Podman can still function normally, see [this](https://github.com/co... — committed to solus-packages/runc by chax 3 years ago
启动时直接使用–security-opt seccomp=unconfined 参数,就不会报错了
I think it’s caused by
runcversion too old.refer this: https://github.com/containers/podman/issues/8055#issuecomment-711672614
Yeah, the argument
--security-opt=seccomp=unconfinedhelps to bypass the issue when running a container (podman version 2.2.1 on CentOS 7)I fixed the issue by changing the runtime to crun from the containers.conf file. Then podman ran correctly.
Container engines will read containers.conf files in up to three locations in the following order:
/usr/share/containers/containers.conf/etc/containers/containers.conf$HOME/.config/containers/containers.conf(Rootless containers ONLY)I copied the file
/usr/share/containers/containers.confto$HOME/.config/containers/containers.conf, because I ran rootless containers… Then edited the runtime line toruntime="crun".Source: https://serverfault.com/a/1046063/365845
Yes please update to latest runc or move to crun.