podman: [shared-state] Podman CLI crashes a container and corrupts podman state on the host, when executed inside (nested)

kind bug

Description

When the podman CLI is used from a privileged container, it works only once, then the container crashes

Steps to reproduce the issue:

  1. On a Centos 7.5 box with:
  • (Permissive SELinux),
  • / created as xfs,
  • running kernel 3.10.0-862.11.6.el7.x86_64,
  • installed podman 0.9.4-dev (podman-0.9.3.1-3.gita3c4ce6.el7.x86_64), libseccomp 2.3.1-3.el7

create a container:

sudo podman run -d --privileged -u root \
-v /etc/containers:/tmp/containers:ro \
-v /var/lib/containers:/var/lib/containers:rw \
-v /etc/yum.repos.d:/etc/yum.repos.d:ro \
-v /opt:/opt \
--name test centos:latest sleep 5000
  1. Install required packages and configs into the container running (using the host versions/content)
sudo podman exec test yum -y install podman libseccomp
sudo podman exec test cp -af /tmp/containers /etc
  1. Check the podman CLI within the container running, then repeat the command again
sudo podman exec test podman ps
sudo podman exec test podman ps

Describe the results you received:

First command worked, then the container crashed cannot exec into container that is not running:

sudo podman inspect test | jq '.[] .State'
{
  "OciVersion": "1.0.1-dev",
  "Status": "configured",
  "Running": false,
  "Paused": false,
  "Restarting": false,
  "OOMKilled": false,
  "Dead": false,
  "Pid": 0,
  "ExitCode": 0,
  "Error": "",
  "StartedAt": "2018-10-08T08:23:21.031667631Z",
  "FinishedAt": "0001-01-01T00:00:00Z"
}

Then, all of the containers at the host start being shown as “Created” and nothing running (the host state for podman gets corrupted)

Describe the results you expected:

The container should keep running and serving podman CLI commands as if executed from the host. There should be a way to not mess with the host state for podman.

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:       0.9.4-dev
Go Version:    go1.10.2
OS/Arch:       linux/amd64

Output of podman info:

host:
  BuildahVersion: 1.4-dev
  Conmon:
    package: podman-0.9.3.1-3.gita3c4ce6.el7.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.11.4, commit: 88d5276957861dea88b85f1d3f786612042cb4dd-dirty'
  Distribution:
    distribution: '"centos"'
    version: "7"
  MemFree: 384524288
  MemTotal: 8201936896
  OCIRuntime:
    package: runc-1.0.0-54.dev.git2abd837.el7.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.0'
  SwapFree: 4266651648
  SwapTotal: 8589930496
  arch: amd64
  cpus: 2
  hostname: undercloud.localdomain
  kernel: 3.10.0-862.11.6.el7.x86_64
  os: linux
  uptime: 91h 27m 11.39s (Approximately 3.79 days)
insecure registries:
  registries:
  - 192.168.24.1:8787
  - 192.168.24.3:8787
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ContainerStore:
    number: 271
  GraphDriverName: overlay
  GraphOptions:
  - overlay.override_kernel_check=true
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
  ImageStore:
    number: 43
  RunRoot: /var/run/containers/storage

Additional environment details (AWS, VirtualBox, physical, etc.):

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 20 (12 by maintainers)

Commits related to this issue

Most upvoted comments

or even “safer”, # nsenter --all -t 1 podman ... so you will really execute podman in the same namespaces as on the host and there should be no difference at all (with the chroot aproach private mounts will not be propagated back)

+1
giuseppe on Oct 9, 2018
Read more comments on GitHub
← podman: SELinux volume permission issues when playing kube file (rootless)
podman: Shortnames are broken in 3.0.0 due to missing list of unqualified-search registries →