gvisor
gvisor copied to clipboard
google
volume bind mount fails w/ "permission denied" using rootful Podman >= 5.2.0 and userns=auto (git bisected)
Description
With Podman commit c81f075f436466092372dec7a19c35fe387fe8d3 ("libpod: do not chmod bind mounts"), which is included in release 5.2.0-rc1 and above, runsc fails to bind mount volumes in certain cases with permission denied errors.
In my case, I have a custom container with an unpriviledged user that has several (partly nested) VOLUMEs defined in its BUILDFILE. I have the (local) volumes created with the appropriate sub(u|g)ids and run the container w/ userns=auto and mount the volumes accordingly. Everything in the container is run as the unpriviledged user.
This worked fine w/ runsc and Podman up to release 5.1.2. It fails w/ the 5.2 branch. It does work absolutely fine, though, with either runc or crunc, no matter what Podman version.
Steps to reproduce
This is the most compact reproducer I could come up with.
Everything as root:
- Add "containers:100000:131072" to /etc/subuid and /etc/subgid
- podman volume create --opt o=uid=100001,gid=100001 bugtest-volume
- podman run --userns=auto:size=65536 -v bugtest-volume:/home/bugtest --runtime=runsc --rm -it alpine sh -c "ls -ln /home"
This will cause a permission denied error with Podman >= 5.2.0-rc1.
With crun/runc, you will see the correct directory listing:
total 4
drwxr-xr-x 2 1 1 4096 Oct 15 05:53 bugtest
runsc version
runsc --version
runsc version release-20241007.0-32-ga81ec225dce9 spec: 1.1.0-rc.1
podman --version
podman version 5.2.4
docker version (if using docker)
No response
uname
Linux TARDIS 6.11.3-gentoo-241010-r1 #1 SMP PREEMPT_DYNAMIC Thu Oct 10 16:36:50 CEST 2024 x86_64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz GenuineIntel GNU/Linux
kubectl (if using Kubernetes)
No response
repo state (if built from source)
No response
runsc debug logs (if available)
No response
After doing more research, it is required to use the new mount api in runsc which is far more flexible but also a bit more involved.
Here is a very good article about it by Microsoft's Christian Brauner and here how runc implemented it initially.
It seems that open_tree was added to the kernel w/ v3.3 and OPEN_TREE_CLONE came w/ v5.19 (July 2022). So both should be more than safe to use nowadays.
I would have taken a stab at implementing this myself in runsc but this is a bit too critical for me to touch since I don't have a deep overview of all the bits and pieces involved.
Nevertheless, if there is any way I actually can help with this, please let me know, since this blocks my usage of runsc at the moment and I have to use crun/runc again for now which is far from ideal for my usecase. :-(
After doing more research, it is required to use the new mount api in runsc which is far more flexible but also a bit more involved.
I think the key point isn't the new mount API, but rather the ability for a container init process to request and receive file descriptors for mounts from its parent process: https://github.com/opencontainers/runc/commit/ba0b5e26989f39d0bdadeeff38182902df781df6#diff-f0214a0f16408fc7f168c6fc9837d189590025cc1813ebf7c1d751136936dfbfR630
I cannot say much about the referenced (huge) commit, unfortunately. But as an update, I haven't been able to find any workaround to this yet, expect for downgrading podman or reversing the change-- both not really desirable or easy respectively.
Is there any chance this will get fixed on runsc's side? It looks more and more like that this will require quite a bit of work and will probably not be something that gets fixed in the near future?
I just posted the following over at the podman issue which is naturally also relevant here, so I hope nobody minds me shamelessly being lazy:
Ok, the problem is even more serious than I initially noticed since I always tried just my test case but runsc no longer works with podman >= 5.2.0-rc1-- period.
# podman run --runtime=runsc --rm -it alpine sh
Error: OCI runtime error: runsc: creating container: cannot create sandbox: cannot read client sync file: waiting for sandbox to start: EOF
This is from the log of the gofer process which fails:
W1023 08:17:45.985373 1 specutils.go:127] noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.
I1023 08:17:45.985882 1 gofer.go:513] Mounting src: "/var/lib/containers/storage/overlay-containers/3bd085dc41322703a52212a3090ee44114a836544c76a85c4138084bd834d6c9/userdata/shm", dst: "/proc/fs/root/dev/shm", flags: 0x100e
W1023 08:17:45.985982 1 util.go:64] FATAL ERROR: error setting up FS: mounting {Destination:/dev/shm Type:bind Source:/var/lib/containers/storage/overlay-containers/3bd085dc41322703a52212a3090ee44114a836544c76a85c4138084bd834d6c9/userdata/shm Options:[bind rprivate nosuid noexec nodev] UIDMappings:[] GIDMappings:[]}: stat("/var/lib/containers/storage/overlay-containers/3bd085dc41322703a52212a3090ee44114a836544c76a85c4138084bd834d6c9/userdata/shm") failed: stat /var/lib/containers/storage/overlay-containers/3bd085dc41322703a52212a3090ee44114a836544c76a85c4138084bd834d6c9/userdata/shm: permission denied
error setting up FS: mounting {Destination:/dev/shm Type:bind Source:/var/lib/containers/storage/overlay-containers/3bd085dc41322703a52212a3090ee44114a836544c76a85c4138084bd834d6c9/userdata/shm Options:[bind rprivate nosuid noexec nodev] UIDMappings:[] GIDMappings:[]}: stat("/var/lib/containers/storage/overlay-containers/3bd085dc41322703a52212a3090ee44114a836544c76a85c4138084bd834d6c9/userdata/shm") failed: stat /var/lib/containers/storage/overlay-containers/3bd085dc41322703a52212a3090ee44114a836544c76a85c4138084bd834d6c9/userdata/shm: permission denied
The error varies from try to try. Here another one:
W1023 08:21:34.475990 1 specutils.go:127] noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.
I1023 08:21:34.476296 1 gofer.go:513] Mounting src: "/run/containers/storage/overlay-containers/69a22ee4afda75ba1121466e934fa30f6b2b00fb2b75ed83e32a105704c3b225/userdata/hosts", dst: "/proc/fs/root/etc/hosts", flags: 0x1000
W1023 08:21:34.476335 1 util.go:64] FATAL ERROR: error setting up FS: mounting {Destination:/etc/hosts Type:bind Source:/run/containers/storage/overlay-containers/69a22ee4afda75ba1121466e934fa30f6b2b00fb2b75ed83e32a105704c3b225/userdata/hosts Options:[bind rprivate] UIDMappings:[] GIDMappings:[]}: stat("/run/containers/storage/overlay-containers/69a22ee4afda75ba1121466e934fa30f6b2b00fb2b75ed83e32a105704c3b225/userdata/hosts") failed: stat /run/containers/storage/overlay-containers/69a22ee4afda75ba1121466e934fa30f6b2b00fb2b75ed83e32a105704c3b225/userdata/hosts: permission denied
error setting up FS: mounting {Destination:/etc/hosts Type:bind Source:/run/containers/storage/overlay-containers/69a22ee4afda75ba1121466e934fa30f6b2b00fb2b75ed83e32a105704c3b225/userdata/hosts Options:[bind rprivate] UIDMappings:[] GIDMappings:[]}: stat("/run/containers/storage/overlay-containers/69a22ee4afda75ba1121466e934fa30f6b2b00fb2b75ed83e32a105704c3b225/userdata/hosts") failed: stat /run/containers/storage/overlay-containers/69a22ee4afda75ba1121466e934fa30f6b2b00fb2b75ed83e32a105704c3b225/userdata/hosts: permission denied
Suffice to say, crun/runc naturally work perfectly fine.
Just in case it gets asked, here the permissions for the directories:
drwxr-xr-x 5 root root 4096 Oct 23 08:15 /var/lib/containers/
drwxr-xr-x 2 root root 4096 Oct 12 2023 /var/lib/containers/sigstore
drwx------ 2 root root 4096 Oct 23 08:15 /var/lib/containers/cache
drwx------ 8 root root 4096 Oct 23 08:21 /var/lib/containers/storage
drwx------ 2 root root 4096 Oct 23 08:21 /var/lib/containers/storage/overlay-containers
drwx------ 3 root root 4096 Oct 23 08:15 /var/lib/containers/storage/overlay-images
drwx------ 2 root root 4096 Oct 23 08:15 /var/lib/containers/storage/overlay-images/91ef0af61f39ece4d6710e465df5ed6ca12112358344fd51ae6a3b886634148b
drwxr-xr-x 4 root root 4096 Oct 23 08:21 /var/lib/containers/storage/overlay
drwx------ 6 root root 4096 Oct 23 08:15 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85
dr-xr-xr-x 19 root root 4096 Oct 23 08:15 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff
drwxr-xr-x 7 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/bin
drwxr-xr-x 6 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/misc
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/udhcpc
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/man
drwxr-xr-x 3 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk
drwxr-xr-x 11 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys/riscv64
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys/aarch64
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys/armv7
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys/armhf
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys/x86
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys/ppc64le
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys/mips64
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys/s390x
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/share/apk/keys/x86_64
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/sbin
drwxr-xr-x 5 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/lib
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/lib/modules-load.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/lib/engines-3
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/lib/ossl-modules
drwxr-xr-x 5 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/local
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/local/bin
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/local/share
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/usr/local/lib
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/dev
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/srv
drwxr-xr-x 12 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/mail
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/opt
drwxr-xr-x 4 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/cache
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/cache/misc
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/cache/apk
drwxr-xr-x 3 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/spool
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/spool/cron
drwxrwxrwt 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/tmp
drwxr-xr-x 3 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/lock
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/lock/subsys
drwxr-xr-x 3 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/lib
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/lib/misc
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/local
dr-xr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/empty
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/var/log
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/opt
dr-xr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/proc
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/bin
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/mnt
drwxrwxrwt 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/tmp
drwxr-xr-x 17 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/profile.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/opt
drwxr-xr-x 8 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/network
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/network/if-pre-down.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/network/if-up.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/network/if-post-up.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/network/if-post-down.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/network/if-down.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/network/if-pre-up.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/modules-load.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/ssl1.1
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/udhcpc
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/crontabs
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/logrotate.d
drwxr-xr-x 2 root root 4096 Sep 6 13:33 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/secfixes.d
drwxr-xr-x 4 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/apk
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/apk/protected_paths.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/apk/keys
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/modprobe.d
drwxr-xr-x 4 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/ssl
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/ssl/private
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/ssl/certs
drwxr-xr-x 7 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/periodic
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/periodic/daily
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/periodic/weekly
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/periodic/15min
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/periodic/monthly
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/periodic/hourly
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/sysctl.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/etc/busybox-paths.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/sbin
drwxr-xr-x 6 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/lib
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/lib/modules-load.d
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/lib/firmware
drwxr-xr-x 4 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/lib/apk
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/lib/apk/exec
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/lib/apk/db
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/lib/sysctl.d
drwx------ 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/root
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/sys
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/run
drwxr-xr-x 5 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/media
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/media/cdrom
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/media/usb
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/media/floppy
drwxr-xr-x 2 root root 4096 Sep 6 13:34 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/diff/home
drwx------ 2 root root 4096 Oct 23 08:15 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/work
drwx------ 2 root root 4096 Oct 23 08:15 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/empty
drwx------ 2 root root 4096 Oct 23 08:15 /var/lib/containers/storage/overlay/63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85/merged
drwxr-xr-x 2 root root 4096 Oct 23 08:21 /var/lib/containers/storage/overlay/l
drwx------ 2 root root 4096 Oct 23 08:15 /var/lib/containers/storage/volumes
drwx------ 2 root root 4096 Oct 23 08:21 /var/lib/containers/storage/overlay-layers
drwx------ 2 root root 4096 Oct 23 08:15 /var/lib/containers/storage/libpod
@BinaryKhaos could you try out https://github.com/google/gvisor/commit/42151ab209f305833b6c293e8fd8b51ea65d6a7d?
As much as it shames/bugs me to admit it, but I really could not get runsc to compile... neither with bazelisk/bazel nor with the Makefile approach and the build container. I even installed docker and docker-cli (just in case it was an incompatibility w/ podman).
Since the bazelisk/bazel approach was incompatible with my systems due to some assumptions made, I used an archlinux container but I never made it to a finished compile... each step forward was greeted with yet another obstacle.
And the build container / Makefile approach simply always gives me:
# make build TARGETS="//runsc"
--- BUILD //runsc
Error response from daemon: No such container: gvisor-bazel-2da8cbca-x86_64
make: *** [Makefile:60: build] Error 1
I thought it should pull or build the container and use that to build runsc? Both docker and podman work fine... so that's not the problem.
I don't give up easily but after hours of trying, I admit defeat. I have never used bazelisk/bazel before, so that wasn't really helpful as well.
If you could give me some help on how I could finally get this to compile, I will gladly test each and every change you want me to test. Sorry.
What if you run make bazel-server and then try to run this command again?
@BinaryKhaos you can download runsc from here: https://github.com/google/gvisor/actions/runs/11521895058
That error from make seems to be caused by newer versions of make (4.4+). It should be fixed by #11084.
@avagin Thanks for the link but I am sorry to say...
# podman run --runtime=runsc --rm -it alpine sh
Error: runsc: creating container: cannot create gofer process: gofer: fork/exec /proc/self/exe: permission denied: OCI permission denied
@nlacasse Ah, yes, that gets the container build actually started but it still fails halfway through:
--- PULL default
Trying to pull us-central1-docker.pkg.dev/gvisor-presubmit/gvisor-presubmit-images/default_x86_64:49b7deac3001c06b...
Getting image source signatures
Copying blob 33c14993ac99 done |
Copying blob aa5910b34b34 done |
Copying blob ec408bd0541d done |
Copying blob 00d4d7c85e8d done |
Copying blob 7478e0ac0f23 done |
Copying blob 2ef80ce075c6 done |
Copying blob 2812a207761f done |
Copying blob 8911a3ab31ae done |
Copying blob f1203e1f9a8a done |
Copying config fd52001451 done |
Writing manifest to image destination
fd52001451930547a4ad82255ce897428ecf36afa0952b72d2a49aaa13badf30
--- DOCKER BUILD
Getting image source signatures
Copying blob 2573e0d81582 skipped: already exists
Copying blob 21eb05d6954c skipped: already exists
Copying blob 2fdddfb19d33 skipped: already exists
Copying blob 45c326f4af7f skipped: already exists
Copying blob a511c9983c1a skipped: already exists
Copying blob e36f4ce6d02e skipped: already exists
Copying blob f780d1e507f2 skipped: already exists
Copying blob 63923e82916c skipped: already exists
Copying blob a8036d971ac1 skipped: already exists
Copying blob b3a47858ce7a done |
Copying config 2a4efcdde2 done |
Writing manifest to image destination
2a4efcdde2e843b557ad6397e692a3681d4cc48b029d5f38edfbed85eeeb7e7d
--- DOCKER RUN
Error: cannot add init binary as PID 1 (PID namespace isn't private)
--- COPY runsc bin/
Error: no container with name or ID "gvisor-bazel-2da8cbca-x86_64" found: no such container
make: *** [Makefile:68: copy] Error 125
@nlacasse podman does not allow adding an init binary if certain conditions aren't met, and the pidns being private, is one of them.
@avagin Thanks for the link but I am sorry to say...
podman run --runtime=runsc --rm -it alpine sh
Error: runsc: creating container: cannot create gofer process: gofer: fork/exec /proc/self/exe: permission denied: OCI permission denied
Do you set right permissions (chmod 755 path_to_runsc) to the runsc binary?
I have reproduced the problem without my change and I don't see the issue with my change...
I am so sorry, you are totally right, I forgot to set the correct permissions. I usually use a script to update runsc that takes care of everything and this time I did it manually and naturally forgot about the permissions. I should have noticed that by myself. :(
I can confirm, with your patch, everything works again. Thanks so much for investing your time to fix this!
One last thing, though, buildah fails with runsc which I am pretty sure worked before since I defaulted everything to runsc.
If I try to build a container with a BUILDFILE, this is what happens:
I1031 08:06:01.963581 57525 main.go:195] **************** gVisor ****************
I1031 08:06:01.963634 57525 main.go:196] Version db8357750dcb, go1.23.2 X:nocoverageredesign, amd64, 8 CPUs, linux, PID 57525, PPID 57524, UID 0, GID 0
D1031 08:06:01.963644 57525 main.go:197] Page size: 0x1000 (4096 bytes)
I1031 08:06:01.963653 57525 main.go:198] Args: [/usr/local/bin/runsc.orig --platform kvm --debug --debug-log=/tmp/runsc/ --panic-log=/tmp/runsc-panic/ --systemd-cgroup create --bundle /var/tmp/buildah1944746136 --pid-file /var/tmp/buildah1944746136/pid buildah-buildah1944746136]
I1031 08:06:01.963670 57525 config.go:439] Platform: kvm
I1031 08:06:01.963695 57525 config.go:440] RootDir: /var/run/runsc
I1031 08:06:01.963700 57525 config.go:441] FileAccess: exclusive / Directfs: true / Overlay: root:self
I1031 08:06:01.963709 57525 config.go:442] Network: sandbox
I1031 08:06:01.963716 57525 config.go:444] Debug: true. Strace: false, max size: 1024, syscalls:
D1031 08:06:01.963727 57525 config.go:462] Config.RootDir (--root): /var/run/runsc
D1031 08:06:01.963736 57525 config.go:462] Config.Traceback (--traceback): system
D1031 08:06:01.963743 57525 config.go:462] Config.Debug (--debug): true
D1031 08:06:01.963749 57525 config.go:462] Config.LogFilename (--log): (empty)
D1031 08:06:01.963754 57525 config.go:462] Config.LogFormat (--log-format): text
D1031 08:06:01.963759 57525 config.go:462] Config.DebugLog (--debug-log): /tmp/runsc/
D1031 08:06:01.963764 57525 config.go:462] Config.DebugToUserLog (--debug-to-user-log): false
D1031 08:06:01.963769 57525 config.go:462] Config.DebugCommand (--debug-command): (empty)
D1031 08:06:01.963773 57525 config.go:462] Config.PanicLog (--panic-log): /tmp/runsc-panic/
D1031 08:06:01.963777 57525 config.go:462] Config.CoverageReport (--coverage-report): (empty)
D1031 08:06:01.963782 57525 config.go:462] Config.DebugLogFormat (--debug-log-format): text
D1031 08:06:01.963786 57525 config.go:462] Config.FileAccess (--file-access): exclusive
D1031 08:06:01.963791 57525 config.go:462] Config.FileAccessMounts (--file-access-mounts): shared
D1031 08:06:01.963796 57525 config.go:462] Config.Overlay (--overlay): false
D1031 08:06:01.963801 57525 config.go:462] Config.Overlay2 (--overlay2): root:self
D1031 08:06:01.963806 57525 config.go:462] Config.FSGoferHostUDS (--fsgofer-host-uds): false
D1031 08:06:01.963810 57525 config.go:462] Config.HostUDS (--host-uds): none
D1031 08:06:01.963816 57525 config.go:462] Config.HostFifo (--host-fifo): none
D1031 08:06:01.963822 57525 config.go:462] Config.HostSettings (--host-settings): check
D1031 08:06:01.963828 57525 config.go:462] Config.Network (--network): sandbox
D1031 08:06:01.963833 57525 config.go:462] Config.EnableRaw (--net-raw): false
D1031 08:06:01.963837 57525 config.go:462] Config.AllowPacketEndpointWrite (--TESTONLY-allow-packet-endpoint-write): false
D1031 08:06:01.963842 57525 config.go:462] Config.HostGSO (--gso): true
D1031 08:06:01.963846 57525 config.go:462] Config.GVisorGSO (--software-gso): true
D1031 08:06:01.963854 57525 config.go:462] Config.GVisorGRO (--gvisor-gro): false
D1031 08:06:01.963866 57525 config.go:462] Config.TXChecksumOffload (--tx-checksum-offload): false
D1031 08:06:01.963871 57525 config.go:462] Config.RXChecksumOffload (--rx-checksum-offload): true
D1031 08:06:01.963878 57525 config.go:462] Config.QDisc (--qdisc): fifo
D1031 08:06:01.963887 57525 config.go:462] Config.LogPackets (--log-packets): false
D1031 08:06:01.963891 57525 config.go:462] Config.PCAP (--pcap-log): (empty)
D1031 08:06:01.963895 57525 config.go:462] Config.Platform (--platform): kvm
D1031 08:06:01.963900 57525 config.go:462] Config.PlatformDevicePath (--platform_device_path): (empty)
D1031 08:06:01.963904 57525 config.go:462] Config.MetricServer (--metric-server): (empty)
D1031 08:06:01.963908 57525 config.go:462] Config.FinalMetricsLog (--final-metrics-log): (empty)
D1031 08:06:01.963912 57525 config.go:462] Config.ProfilingMetrics (--profiling-metrics): (empty)
D1031 08:06:01.963919 57525 config.go:462] Config.ProfilingMetricsLog (--profiling-metrics-log): (empty)
D1031 08:06:01.963923 57525 config.go:462] Config.ProfilingMetricsRate (--profiling-metrics-rate-us): 1000
D1031 08:06:01.963928 57525 config.go:462] Config.Strace (--strace): false
D1031 08:06:01.963932 57525 config.go:462] Config.StraceSyscalls (--strace-syscalls): (empty)
D1031 08:06:01.963936 57525 config.go:462] Config.StraceLogSize (--strace-log-size): 1024
D1031 08:06:01.963940 57525 config.go:462] Config.StraceEvent (--strace-event): false
D1031 08:06:01.963944 57525 config.go:464] Config.DisableSeccomp: false
D1031 08:06:01.963952 57525 config.go:462] Config.EnableCoreTags (--enable-core-tags): false
D1031 08:06:01.963958 57525 config.go:462] Config.WatchdogAction (--watchdog-action): logWarning
D1031 08:06:01.963964 57525 config.go:462] Config.PanicSignal (--panic-signal): -1
D1031 08:06:01.963968 57525 config.go:462] Config.ProfileEnable (--profile): false
D1031 08:06:01.963972 57525 config.go:462] Config.ProfileBlock (--profile-block): (empty)
D1031 08:06:01.963976 57525 config.go:462] Config.ProfileCPU (--profile-cpu): (empty)
D1031 08:06:01.963980 57525 config.go:462] Config.ProfileHeap (--profile-heap): (empty)
D1031 08:06:01.963984 57525 config.go:462] Config.ProfileMutex (--profile-mutex): (empty)
D1031 08:06:01.963988 57525 config.go:462] Config.TraceFile (--trace): (empty)
D1031 08:06:01.963992 57525 config.go:462] Config.NumNetworkChannels (--num-network-channels): 1
D1031 08:06:01.963996 57525 config.go:462] Config.NetworkProcessorsPerChannel (--network-processors-per-channel): 0
D1031 08:06:01.964001 57525 config.go:462] Config.Rootless (--rootless): false
D1031 08:06:01.964005 57525 config.go:462] Config.AlsoLogToStderr (--alsologtostderr): false
D1031 08:06:01.964009 57525 config.go:462] Config.ReferenceLeak (--ref-leak-mode): disabled
D1031 08:06:01.964014 57525 config.go:462] Config.CPUNumFromQuota (--cpu-num-from-quota): false
D1031 08:06:01.964019 57525 config.go:462] Config.AllowFlagOverride (--allow-flag-override): false
D1031 08:06:01.964027 57525 config.go:462] Config.OCISeccomp (--oci-seccomp): false
D1031 08:06:01.964032 57525 config.go:462] Config.IgnoreCgroups (--ignore-cgroups): false
D1031 08:06:01.964036 57525 config.go:462] Config.SystemdCgroup (--systemd-cgroup): true
D1031 08:06:01.964040 57525 config.go:462] Config.PodInitConfig (--pod-init-config): (empty)
D1031 08:06:01.964044 57525 config.go:462] Config.BufferPooling (--buffer-pooling): true
D1031 08:06:01.964048 57525 config.go:462] Config.XDP (--EXPERIMENTAL-xdp): {0 }
D1031 08:06:01.964055 57525 config.go:462] Config.AFXDPUseNeedWakeup (--EXPERIMENTAL-xdp-need-wakeup): true
D1031 08:06:01.964059 57525 config.go:462] Config.FDLimit (--fdlimit): -1
D1031 08:06:01.964063 57525 config.go:462] Config.DCache (--dcache): -1
D1031 08:06:01.964068 57525 config.go:462] Config.IOUring (--iouring): false
D1031 08:06:01.964072 57525 config.go:462] Config.DirectFS (--directfs): true
D1031 08:06:01.964076 57525 config.go:462] Config.AppHugePages (--app-huge-pages): true
D1031 08:06:01.964080 57525 config.go:462] Config.NVProxy (--nvproxy): false
D1031 08:06:01.964084 57525 config.go:462] Config.NVProxyDocker (--nvproxy-docker): false
D1031 08:06:01.964088 57525 config.go:462] Config.NVProxyDriverVersion (--nvproxy-driver-version): (empty)
D1031 08:06:01.964093 57525 config.go:462] Config.NVProxyAllowedDriverCapabilities (--nvproxy-allowed-driver-capabilities): utility,compute
D1031 08:06:01.964097 57525 config.go:462] Config.TPUProxy (--tpuproxy): false
D1031 08:06:01.964101 57525 config.go:462] Config.TestOnlyAllowRunAsCurrentUserWithoutChroot (--TESTONLY-unsafe-nonroot): false
D1031 08:06:01.964105 57525 config.go:462] Config.TestOnlyTestNameEnv (--TESTONLY-test-name-env): (empty)
D1031 08:06:01.964109 57525 config.go:462] Config.TestOnlyAFSSyscallPanic (--TESTONLY-afs-syscall-panic): false
D1031 08:06:01.964114 57525 config.go:464] Config.explicitlySet: <map[string]struct {} Value> (unexported)
D1031 08:06:01.964126 57525 config.go:462] Config.ReproduceNAT (--reproduce-nat): false
D1031 08:06:01.964131 57525 config.go:462] Config.ReproduceNftables (--reproduce-nftables): false
D1031 08:06:01.964136 57525 config.go:462] Config.NetDisconnectOk (--net-disconnect-ok): true
D1031 08:06:01.964140 57525 config.go:462] Config.TestOnlyAutosaveImagePath (--TESTONLY-autosave-image-path): (empty)
D1031 08:06:01.964146 57525 config.go:462] Config.TestOnlyAutosaveResume (--TESTONLY-autosave-resume): false
D1031 08:06:01.964150 57525 config.go:462] Config.TestOnlySaveRestoreNetstack (--TESTONLY-save-restore-netstack): false
I1031 08:06:01.964154 57525 main.go:200] **************** gVisor ****************
W1031 08:06:01.965402 57525 specutils.go:127] noNewPrivileges ignored. PR_SET_NO_NEW_PRIVS is assumed to always be set.
D1031 08:06:01.965602 57525 specutils.go:89] Spec:
{
"ociVersion": "1.2.0",
"process": {
"user": {
"uid": 0,
"gid": 0,
"additionalGids": [
0
]
},
"args": [
"/bin/sh",
"-c",
"umask 0027 \u0026\u0026 echo \"UMASK 0027\" \u003e/etc/login.defs.d/local.conf \u0026\u0026 useradd -m -d /home/dev -s /bin/bash dev \u0026\u0026 chmod 750 /home/dev \u0026\u0026 chmod 750 /home/dev/bin \u0026\u0026 usermod -L root"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HOSTNAME=70e0774f9873"
],
"cwd": "/",
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1048576,
"soft": 1048576
},
{
"type": "RLIMIT_NPROC",
"hard": 4194304,
"soft": 4194304
}
]
},
"root": {
"path": "/var/tmp/buildah1944746136/mnt/rootfs"
},
"hostname": "70e0774f9873",
"mounts": [
{
"destination": "/dev",
"type": "tmpfs",
"source": "/var/tmp/buildah1944746136/tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/proc",
"type": "proc",
"source": "/var/tmp/buildah1944746136/proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "/var/tmp/buildah1944746136/sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "/var/tmp/buildah1944746136/mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "/var/tmp/buildah1944746136/devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "/var/tmp/buildah1944746136/shm",
"options": [
"private",
"nodev",
"noexec",
"nosuid",
"mode=1777",
"size=65536k"
]
},
{
"destination": "/etc/hostname",
"type": "bind",
"source": "/var/tmp/buildah1944746136/hostname",
"options": [
"rbind"
]
},
{
"destination": "/etc/hosts",
"type": "bind",
"source": "/var/tmp/buildah1944746136/hosts",
"options": [
"rbind"
]
},
{
"destination": "/etc/resolv.conf",
"type": "bind",
"source": "/var/tmp/buildah1944746136/resolv.conf",
"options": [
"rbind"
]
},
{
"destination": "/run/.containerenv",
"type": "bind",
"source": "/var/tmp/buildah1944746136/run/.containerenv",
"options": [
"rbind"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "/var/tmp/buildah1944746136/cgroup",
"options": [
"rprivate",
"nosuid",
"noexec",
"nodev",
"relatime",
"rw"
]
}
],
"linux": {
"sysctl": {
"net.ipv4.ping_group_range": "0 0"
},
"resources": {},
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
},
{
"type": "cgroup"
}
]
}
}
D1031 08:06:01.965632 57525 container.go:202] Create container, cid: buildah-buildah1944746136, rootDir: "/var/run/runsc"
D1031 08:06:01.965677 57525 container.go:1870] Configuring container with a new userns with identity user mappings into current userns
D1031 08:06:01.965721 57525 container.go:1926] UID Mappings:
D1031 08:06:01.965728 57525 container.go:1928] Container ID: 0, Host ID: 0, Range Length: 4294967295
D1031 08:06:01.965761 57525 container.go:1926] GID Mappings:
D1031 08:06:01.965767 57525 container.go:1928] Container ID: 0, Host ID: 0, Range Length: 4294967295
D1031 08:06:01.965802 57525 container.go:267] Creating new sandbox for container, cid: buildah-buildah1944746136
D1031 08:06:01.965818 57525 container.go:795] Destroy container, cid: buildah-buildah1944746136
W1031 08:06:01.965853 57525 util.go:64] FATAL ERROR: creating container: cannot set up cgroup for root: invalid systemd path: "/buildah-buildah1944746136"
W1031 08:06:01.965906 57525 main.go:230] Failure to execute command, err: 1
Suffice to say, this naturally works just fine with runc or crun. It is just runsc that fails.
Seems like you might be using an older runsc build. https://github.com/google/gvisor/commit/8c3abba8000496c06341653f158dc34a4318565a should get you past this error I think. It was merged on May 30. So try using a build after that.
It added a bunch of documentation about how to setup systemd cgroups. But it seems like the docs were not added to the website because we forgot to update the BUILD file. I will fix that. Until then, you can see the documentation here: https://github.com/google/gvisor/blob/e514af1bae5b1f00f8470f15ffb4415abdd8e323/g3doc/user_guide/systemd.md. You will need to set spec.Linux.CgroupsPath appropriately. Without it, the sandbox will not be run in cgroups.
@avagin Is there something blocking this from being merged into main like your patch being just a proof of concept or anything alike? It would be nice to have this merged, so that runsc works again with newer podman releases. Thanks, again, so much! And if you get the time, maybe you could have a look at issue #260? That would be very much appreciated!
@ayushr2 I was already using the build avagin provided which was just a week old or so. In the meantime I managed to finally build runsc by myself (it works exclusively with docker unfortunately, with podman the final binary is not copied and gone). With it, I get the same error as expected. I guess this is, again, a case where runsc is not quite compatible with podman, I am afraid. So building images with podman/buildah will be back to crun/runc for the time being.