-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to receive console file descriptor Communication error on send (Rootless, above 4.7.2+) #22274
Comments
Likely related: #22441 |
Since the error happened above 4.7.2 and 4.8.2 is affected I believe this commit could be introducing the error: Fact is the error does not happen with a rootful container, so it seems to be isolated to rootless. What do you think @giuseppe ? Its odd this only happens on some machines, but it makes it impossible to update beyond 4.7.2. |
Hi, Just quickly lurking into this. This may be fixed by #19927 (which I think it present into podman 4.9). So maybe the "fix" is to migrate to podman 4.9 or 5.0 if possible on your side. Podman 4.9 was just released for RHEL 8 and 9. |
I just replaced that box (with fresh deploy) yesterday as there was no traction on this issue. No version was working above 4.7.2+ I tried all several times |
Issue Description
Been updating my dev server centos-stream-9 as usual and around the 4.8.2 version I started seeing these cryptic errors:
Both when building/running containers.
Initially I shrugged it off as being a temporary centos-stream-9 issue so I downgraded to 4.7.2 and a matching crun version (2.1.8?), I think this issue is related: containers/conmon#475
Now podman 5.0 is out I tried to upgrade the packages again, but the issue returned. I've tried all versions in-between available to centos-stream-9 and only 4.7.2 or earlier works.
podman run --log-level=debug -it --name netshoot --rm localhost/netshoot
with strace of interest is:
So after raising these limits manually
/etc/limits.d/ct.conf
There's another issue left:
journalctl contains:
Removing
-it
gives a different error (quite likely unrelated but #3024):and journalctl
podman build . -t localhost/netshoot
HOWEVER
buildah bud -t localhost/netshoot .
works, so its definetily related to podman or any of its dependencies like conmon.Also if adding
--cgroups=disabled
it works.I installed a fresh centos-stream-9 vm and could not reproduce
working fresh install cos9
podman info
podman --log-level=debug run -it --name netshoot --rm localhost/netshoot
podman build . -t localhost/netshoot
Works as expected on that fresh install.
What can the issue be? How can I debug this further? I don't use custom configurations such as
containers.conf
or similar, so they should work equally well.Steps to reproduce the issue
Its periodic or a certain state, it can't be easily reproduced it must come from updating through several podman versions and running containers.
Describe the results you received
Error: crun: sd-bus call: Interactive authentication required.: Permission denied: OCI permission denied
or
with
--log-level=debug
or without
-it
Describe the results you expected
Starting the container without errors
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
No
Additional environment details
Both machines have equal package versions
podman-5.0.0-1.el9
conmon-2.1.10-1.el9
crun-1.14.4-1.el9
conmon-2.1.10-1.el9
systemd-252-32.el9
Additional information
Also tried
podman system prune
,podman system reset
,podman system migrate
and moving entire.local/share/containers
to a temp directory - still same issue.Downgrading back to podman-4.7.2-2.el9 also works. ALL later versions are affected.
The text was updated successfully, but these errors were encountered: