Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Configuration which works with crun 1.8.7 does not work with any version of 1.9.x #20200

Closed
Cellebyte opened this issue Sep 29, 2023 · 1 comment
Closed

[Bug] Configuration which works with crun 1.8.7 does not work with any version of 1.9.x #20200

Cellebyte opened this issue Sep 29, 2023 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@Cellebyte
Copy link

Cellebyte commented Sep 29, 2023
edited
Loading

Issue Description

fixed in #19843
and podman version 4.7.0

General Information:

I use docker-compose together with podmans socket for docker compatibility mode.

export DOCKER_HOST=unix:///run/user/1000/podman/podman.sock
export DOCKER_BUILDKIT=0 # to support the old build mode.

I use the following compose file.

version: '3.4'

services:
  bla:
    image: test
    build:
      context: .
      dockerfile: Dockerfile
      args:
        uid: 0
        gid: 0
    network_mode: host
    volumes: [] # some volumes
    environment: {} # some envs

together with this Dockerfile.

FROM python:3.10-slim-bullseye as bla
ENV PYTHONUSERBASE=/app/python
ARG uid
ARG gid
RUN test -n "$uid" || ( echo "build arg 'uid' not set"; false )
RUN test -n "$gid" || ( echo "build arg 'gid' not set"; false )
WORKDIR $PYTHONUSERBASE
# some install commands
WORKDIR /app/appuser
RUN groupadd -o -g $gid appuser && useradd --no-log-init -m -o -g appuser -u $uid appuser
USER appuser
Versions
~ docker-compose version
Docker Compose version 2.20.3
~ podman version
Client:       Podman Engine
Version:      4.6.2
API Version:  4.6.2
Go Version:   go1.21.0
Git Commit:   5db42e86862ef42c59304c38aa583732fd80f178-dirty
Built:        Tue Aug 29 23:19:21 2023
OS/Arch:      linux/amd64

Steps to reproduce the issue

Steps to reproduce the issue

  1. Build the image above using docker-compose build bla
  2. Run the image docker-compose run --rm bla python

Describe the results you received

~ crun --version
crun version 1.9.2
commit: 35274d346d2e9ffeacb22cc11590b0266a23d634
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJ

stderr after docker-compose run

unable to upgrade to tcp, received 409

podman socket log

Sep 29 07:45:43 t14s podman[2060]: time="2023-09-29T07:45:43+02:00" level=info msg="Request Failed(Conflict): preparing container 86e770fefd167b9374a7f794d93b0c0adf077628703a6285c072c2f31cb5f5d6 for attach: crun: write to `/proc/self/oom_score_adj`: Permission denied: OCI permission denied"

Describe the results you expected

crun version 1.8.7
commit: 53a9996ce82d1ee818349bdcc64797a1fa0433c4
rundir: /run/user/1000/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL

A normal running container in network mode host as my user.

podman socket log

Sep 29 08:21:16 t14s podman[14892]: time="2023-09-29T08:21:16+02:00" level=info msg="Running conmon under slice user.slice and unitName libpod-conmon-7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5.scope"
Sep 29 08:21:17 t14s podman[14892]: time="2023-09-29T08:21:17+02:00" level=info msg="Got Conmon PID as 15024"
Sep 29 08:21:17 t14s podman[14892]: 2023-09-29 08:21:17.024717632 +0200 CEST m=+0.408471848 container init 7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5 (image=localhost/bla:latest, name=repo-bla-run-3aa1b74af942, com.docker.compose.image.builder=classic, com.docker.compose.project.working_dir=/home/user/repo, com.docker.compose.version=2.20.3, com.docker.compose.slug=3aa1b74af9423717739310a8b9d27ac3ac025f4bdd47a2508ef624de8e41a3ab, com.docker.compose.depends_on=, com.docker.compose.oneoff=True, com.docker.compose.image=sha256:12f9a757eb144a64052194123f49745e10d1faed7f18d688d2a238edd3f08482, io.buildah.version=1.31.2, com.docker.compose.container-number=1, com.docker.compose.config-hash=c7613943899314a8817b00cb8ad2d7fe0caa321ac132fba633cd20aedb32c99d, com.docker.compose.project=network-definitions, com.docker.compose.service=bla, com.docker.compose.project.config_files=/home/user/repo/docker-compose.yaml)
Sep 29 08:21:17 t14s podman[14892]: 2023-09-29 08:21:17.02511555 +0200 CEST m=+0.408869756 container attach 7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5 (image=localhost/bla:latest, name=repo-bla-run-3aa1b74af942, com.docker.compose.depends_on=, com.docker.compose.image.builder=classic, com.docker.compose.slug=3aa1b74af9423717739310a8b9d27ac3ac025f4bdd47a2508ef624de8e41a3ab, com.docker.compose.config-hash=c7613943899314a8817b00cb8ad2d7fe0caa321ac132fba633cd20aedb32c99d, com.docker.compose.project=network-definitions, com.docker.compose.project.working_dir=/home/user/repo, com.docker.compose.version=2.20.3, com.docker.compose.project.config_files=/home/user/repo/docker-compose.yaml, com.docker.compose.oneoff=True, com.docker.compose.image=sha256:12f9a757eb144a64052194123f49745e10d1faed7f18d688d2a238edd3f08482, io.buildah.version=1.31.2, com.docker.compose.container-number=1, com.docker.compose.service=bla)
Sep 29 08:21:17 t14s podman[14892]: time="2023-09-29T08:21:17+02:00" level=info msg="Performing HTTP Hijack attach to container 7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5"
Sep 29 08:21:17 t14s podman[14892]: 2023-09-29 08:21:17.043679571 +0200 CEST m=+0.427433777 container start 7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5 (image=localhost/bla:latest, name=repo-bla-run-3aa1b74af942, com.docker.compose.config-hash=c7613943899314a8817b00cb8ad2d7fe0caa321ac132fba633cd20aedb32c99d, com.docker.compose.project.working_dir=/home/user/repo, com.docker.compose.service=bla, com.docker.compose.depends_on=, com.docker.compose.project=network-definitions, com.docker.compose.version=2.20.3, io.buildah.version=1.31.2, com.docker.compose.image.builder=classic, com.docker.compose.oneoff=True, com.docker.compose.slug=3aa1b74af9423717739310a8b9d27ac3ac025f4bdd47a2508ef624de8e41a3ab, com.docker.compose.project.config_files=/home/user/repo/docker-compose.yaml, com.docker.compose.container-number=1, com.docker.compose.image=sha256:12f9a757eb144a64052194123f49745e10d1faed7f18d688d2a238edd3f08482)
Sep 29 08:21:17 t14s podman[14892]: @ - - [29/Sep/2023:08:21:17 +0200] "POST /v1.41/containers/7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5/start HTTP/1.1" 204 0 "" "Docker-Client/unknown-version (linux)"
Sep 29 08:21:17 t14s podman[14892]: time="2023-09-29T08:21:17+02:00" level=info msg="Resizing TTY of container 7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5"
Sep 29 08:21:17 t14s podman[14892]: @ - - [29/Sep/2023:08:21:17 +0200] "POST /v1.41/containers/7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5/resize?h=56&w=206 HTTP/1.1" 200 0 "" "Docker-Client/unknown-version (linux)"
se.yaml, com.docker.compose.container-number=1, com.docker.compose.image=sha256:12f9a757eb144a64052194123f49745e10d1faed7f18d688d2a238edd3f08482)
Sep 29 08:21:17 t14s podman[14892]: @ - - [29/Sep/2023:08:21:17 +0200] "POST /v1.41/containers/7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5/start HTTP/1.1" 204 0 "" "Docker-Client/unknown-version (linux)"
Sep 29 08:21:17 t14s podman[14892]: time="2023-09-29T08:21:17+02:00" level=info msg="Resizing TTY of container 7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5"
Sep 29 08:21:17 t14s podman[14892]: @ - - [29/Sep/2023:08:21:17 +0200] "POST /v1.41/containers/7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5/resize?h=56&w=206 HTTP/1.1" 200 0 "" "Docker-Client/unknown-version (linux)"
Sep 29 08:25:30 t14s podman[14892]: @ - - [29/Sep/2023:08:21:16 +0200] "POST /v1.41/containers/7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5/attach?stderr=1&stdin=1&stdout=1&stream=1 HTTP/1.1" 200 0 "" "Docker-Client/unknown-version (linux)"
Sep 29 08:25:30 t14s podman[14892]: time="2023-09-29T08:25:30+02:00" level=info msg="Request Failed(Not Found): no container with name or ID \"7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5\" found: no such container"
Sep 29 08:25:30 t14s podman[14892]: @ - - [29/Sep/2023:08:25:30 +0200] "POST /v1.41/containers/7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5/kill?signal=INT HTTP/1.1" 404 180 "" "Docker-Client/unknown-version (linux)"
Sep 29 08:25:30 t14s podman[14892]: @ - - [29/Sep/2023:08:21:17 +0200] "POST /v1.41/containers/7895d685f1039aa0b2ac9915a334a713b4d608280f18cded507a3236f8c6b2f5/wait?condition=removed HTTP/1.1" 200 32 "" "Docker-Client/unknown-version (linux)"
Sep 29 08:25:36 t14s systemd[920]: podman.service: Consumed 1.960s CPU time.

podman info output

host:
  arch: amd64
  buildahVersion: 1.31.2
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.8-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.8, commit: 00e08f4a9ca5420de733bf542b930ad58e1a7e7d'
  cpuUtilization:
    idlePercent: 90.7
    systemPercent: 3.51
    userPercent: 5.79
  cpus: 16
  databaseBackend: boltdb
  distribution:
    distribution: manjaro
    version: unknown
  eventLogger: journald
  freeLocks: 2005
  hostname: t14s
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65537
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65537
  kernel: 6.1.55-1-MANJARO
  linkmode: dynamic
  logDriver: journald
  memFree: 15345647616
  memTotal: 32837406720
  networkBackend: cni
  networkBackendInfo:
    backend: cni
    dns:
      package: /usr/lib/cni/dnsname is owned by podman-dnsname 1.3.1-2
      path: /usr/lib/cni/dnsname
      version: |-
        CNI dnsname plugin
        version: 1.3.1
        commit: 18822f9a4fb35d1349eb256f4cd2bfd372474d84
    package: |-
      /usr/lib/cni/ is owned by cni-plugins 1.3.0-1
      /usr/lib/cni/ is owned by podman-dnsname 1.3.1-2
    path: /usr/lib/cni
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.8.7-1
    path: /usr/bin/crun
    version: |-
      crun version 1.8.7
      commit: 53a9996ce82d1ee818349bdcc64797a1fa0433c4
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.2-1
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 35433476096
  swapTotal: 35433476096
  uptime: 0h 33m 31.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /home/cellebyte/.config/containers/storage.conf
  containerStore:
    number: 29
    paused: 0
    running: 0
    stopped: 29
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/cellebyte/.local/share/containers/storage
  graphRootAllocated: 1023669174272
  graphRootUsed: 379187265536
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1668
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/cellebyte/.local/share/containers/storage/volumes
version:
  APIVersion: 4.6.2
  Built: 1693343961
  BuiltTime: Tue Aug 29 23:19:21 2023
  GitCommit: 5db42e86862ef42c59304c38aa583732fd80f178-dirty
  GoVersion: go1.21.0
  Os: linux
  OsArch: linux/amd64
  Version: 4.6.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

A similar error was already discussed in
@Cellebyte Cellebyte added the kind/bug Categorizes issue or PR as related to a bug. label Sep 29, 2023
@Luap99
Copy link
Member

Luap99 commented Sep 29, 2023

Duplicate of #19930

@Luap99 Luap99 marked this as a duplicate of #19930 Sep 29, 2023
@Luap99 Luap99 closed this as not planned Won't fix, can't repro, duplicate, stale Sep 29, 2023
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Dec 29, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Cellebyte @Luap99