podman: Running privileged podman containers inside a docker container gives "Error: container_linux.go:367: starting container process caused: apply caps: operation not permitted: OCI runtime permission denied error"
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
- Running Podman inside a Docker Container with the --privileged tag gives the following error: Error: container_linux.go:367: starting container process caused: apply caps: operation not permitted: OCI runtime permission denied error
Steps to reproduce the issue:
- Dockerfile
FROM ubuntu:20.10
RUN apt-get update -y \
&& apt-get install -y\
ca-certificates \
libprotobuf-dev \
libnl-route-3-dev \
podman \
runc \
criu \
vim
ARG DEBIAN_FRONTEND='noninteractive'
RUN apt-get install -y iptables-persistent
Build this image:
docker build . OR docker build < Dockerfile
- Run a docker container with --privileged tag
docker image ls- select the image ID and run
docker run --privileged -i -t --rm {IMAGE ID} /bin/bash
- Build the Alpine image
podman pull alpinepodman images- select the image ID and run
podman run --privileged --cgroup-manager="cgroupfs" --rm -it {IMAGE ID} /bin/sh
Describe the results you received:
Error: container_linux.go:367: starting container process caused: apply caps: operation not permitted: OCI runtime permission denied error
Describe the results you expected:
/ #
Additional information you deem important (e.g. issue happens only occasionally):
podman run --cap-drop=all --cgroup-manager="cgroupfs" --rm -it {IMAGE ID} /bin/sh results in the same error
Output of podman version:
Version: 2.0.6
API Version: 1
Go Version: go1.14.7
Built: Thu Jan 1 00:00:00 1970
OS/Arch: linux/amd64
Output of podman info --debug:
host:
arch: amd64
buildahVersion: 1.15.2
cgroupVersion: v1
conmon:
package: 'conmon: /usr/libexec/podman/conmon'
path: /usr/libexec/podman/conmon
version: 'conmon version 2.0.20, commit: unknown'
cpus: 2
distribution:
distribution: ubuntu
version: "20.10"
eventLogger: file
hostname: 6fc6a3d77e11
idMappings:
gidmap: null
uidmap: null
kernel: 5.10.25-linuxkit
linkmode: dynamic
memFree: 829906944
memTotal: 2084691968
ociRuntime:
name: runc
package: 'runc: /usr/sbin/runc'
path: /usr/sbin/runc
version: |-
runc version spec: 1.0.2-dev
go: go1.14.7
libseccomp: 2.5.1
os: linux
remoteSocket:
path: /run/podman/podman.sock
rootless: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 991195136
swapTotal: 1073737728
uptime: 6h 47m 47.2s (Approximately 0.25 days)
registries:
search:
- quay.io
- docker.io
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 0
stopped: 1
graphDriverName: vfs
graphOptions: {}
graphRoot: /var/lib/containers/storage
graphStatus: {}
imageStore:
number: 1
runRoot: /var/run/containers/storage
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 1
Built: 0
BuiltTime: Thu Jan 1 00:00:00 1970
GitCommit: ""
GoVersion: go1.14.7
OsArch: linux/amd64
Version: 2.0.6
Package info (e.g. output of rpm -q podman or apt list podman):
root@6fc6a3d77e11:/test_dir# apt list podman -a
Listing... Done
podman/groovy-updates,now 2.0.6+dfsg1-1ubuntu1.2 amd64 [installed]
podman/groovy 2.0.6+dfsg1-1ubuntu1 amd64
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)
Yes Yes/No
Additional environment details (AWS, VirtualBox, physical, etc.): macOS Catalina 10.15.7
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 22 (20 by maintainers)
Hey, thanks for letting me know! I have been experimenting with nested containers, so will it be okay if I submit a PR with some more info to https://github.com/containers/podman/blob/master/troubleshooting.md#13-running-podman-inside-a-container-causes-container-crashes-and-inconsistent-states