Dear Maintainer, Podman has stopped working (atleast for me) without having modified anything from its configuration. I simply try to run 'bash' from a Debian container, and it crashes like this: $ podman run --rm -it debian bash Resolved "debian" as an alias (/etc/containers/registries.conf.d/shortnames.conf) Trying to pull docker.io/library/debian:latest... Getting image source signatures Copying blob e756f3fdd6a3 done Copying config 4eacea3037 done Writing manifest to image destination Storing signatures Error: container_linux.go:367: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied $
I've found the problem appears to be between podman and runc. I have runc installed in my system because I also use docker.io, and that package depends on it. runc is also a dependency of podman, so podman uses it. However, podman can also use crun. But, since runc was already installed, and podman can depend on either of them, crun was not installed as a dependecy. Now, if I manually install crun, podman works again and the error is gone. I think if podman finds that crun is installed, it will use it. Otherwise it will use runc as a fallback. Since both runc and crun packages can coexist in the system, I think a quick fix could be removing the runc dependency on podman, so it will always pull in crun as a dependency. At least until the root cause of this problem is found and fixed.
I wonder whether this may be related to upstream report at https://github.com/containers/common/issues/631 It seems that in debian/bullseye, podman is only able to work in crun, since the version of runc we have in stable seems to have issues with seccomp. Can you please try the following for me with both crun and runc installed: root@pve:~# podman run --runtime runc --security-opt=seccomp=unconfined --rm -it debian date Mon May 30 19:18:05 UTC 2022 That does appear to work at least on my system. This might indicate that this is actually a change that needs to go into golang-github-containers-common then...
Dear Reinhard Tartler, I have tried what you suggested, and indeed, it does work. See: $ # CHECK BOTH CRUN AND RUNC ARE INSTALLED $ dpkg -s runc | grep -E '^Status' Status: install ok installed $dpkg -s crun | grep -E '^Status' Status: install ok installed $ # RUN COMMAND WITHOUT THE SUGGESTED WORKAROUND $ podman run --runtime runc --rm -it debian date Error: container_linux.go:367: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied $ # RUN COMMAND WITH THE SUGGESTED WORKAROUND $ podman run --runtime runc --security-opt=seccomp=unconfined --rm -it debian date Mon May 30 23:33:32 UTC 2022 Thanks, Vincent
If I read the issue correctly, it's because in the last stable update, the defaultErrnoRet feature is backported. However runc doesn't support it until v1.0.0-rc95(stable has rc93). I don't think runc will get feature backports in stable. So probably only crun can be used by podman now in stable.
Hello, Bug #1012030 in runc reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/go-team/packages/runc/-/commit/1d73689985b29ec5b8477dbc6df8004aa09771d1 ------------------------------------------------------------------------ backport upstream patch: Honor seccomp defaultErrnoRet, Closes: #1012030 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1012030
Shengjing, you are right (as always), I can confirm that backporting this patch does fix this issue: https://salsa.debian.org/go-team/packages/runc/-/commit/1d73689985b29ec5b8477dbc6df8004aa09771d1 I'll upload to stable and request it to be unblocked shortly.
We believe that the bug you reported is fixed in the latest version of
runc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1012030@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated runc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 13 Jun 2022 07:06:00 -0400
Source: runc
Architecture: source
Version: 1.0.0~rc93+ds1-5+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1012030
Changes:
runc (1.0.0~rc93+ds1-5+deb11u2) bullseye; urgency=medium
.
* Backport upstream patch:
- do not set inheritable capabilities, Fixes: CVE-2022-29162
.
runc (1.0.0~rc93+ds1-5+deb11u1) bullseye; urgency=medium
.
* Team upload.
* backport upstream patch: Honor seccomp defaultErrnoRet, Closes: #1012030
Checksums-Sha1:
431cbc35b31da424825ca1a08afe67d752ad9caf 3372 runc_1.0.0~rc93+ds1-5+deb11u2.dsc
fa7dd30f8b03dec8d2ea282f87c06fe8860f6ab5 42576 runc_1.0.0~rc93+ds1-5+deb11u2.debian.tar.xz
Checksums-Sha256:
d6453431cf07b23b9c807580aaf8cd33a2fadd484658fd6744b05b6b0aec2013 3372 runc_1.0.0~rc93+ds1-5+deb11u2.dsc
4660d46c6dbad3ae1eb5d72720fd4e4b8130944143fb97a1d5cff67ab8a74c01 42576 runc_1.0.0~rc93+ds1-5+deb11u2.debian.tar.xz
Files:
f5dc3470bdaa53297fdc5ea5bcc991cb 3372 admin optional runc_1.0.0~rc93+ds1-5+deb11u2.dsc
2709adbfe7bdfd85003378ae03e51c65 42576 admin optional runc_1.0.0~rc93+ds1-5+deb11u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmKoeS8UHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJss2nw//RHAh7qq6BkP5DRsfh/J4+o4RLLEL
NjfxNTEMKT32tgXwrfKVw0G2FSEgmWodnkmi0EjGpPQb+FX1VKhTQ4abyXa7iMo5
fzZnQyV5gPFQJLcY+5rykUiYbuRd5+3xJsCgPF72gb7OWO+/kG15/b20Y+nyVxAX
rW6iZDkcZ/kBwEq2MhPcCyfrRhWajbbIz1EkpGJXSXWyAwy/4mQLJUlnLvaSoatR
Ed4bGOCxGC1lnWzfZti18dDBSzz9MjtwggIOC3OX/KGQc7szWki67xRvqm3vL2F8
p+dm3QocClZ/ZOhfMYLF3e7Il6BSkVSD7Qfj14IooQ+KpEPxFhDSBGzXoGI0JoPX
IJS434LQumhiK9Lzy4//G3Y68bVPk2TyrUFOaanjKjdinyQMyJvlkGPzd/OxTWp7
zyZiYpVzvXMJEsqpIFiGA5JCp9FOqO3CmbIO4uHQRFZBQqB29M2Mzcz5a022L0N9
PMpJ6Kj6my33/HxTuT8s2C9gLXIknm/8qAtBYDA5/JArCFY+ibRgYFKJ6NiAQIhz
Lgh43ja35s8u7Nq+WzFM02Q4PGOxHuWgG0TILYZauni+GYFv4TLvEtym3C6cyDw/
oVsqzEZBbp5X0jwsQGdbBFEe/y7DSUvsMicZBSeJbD1SumodTMGQ3Q4ia3NHBfBH
9NvJ/6EtmNrqWso=
=Mpeu
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of runc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1012030@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler <siretart@tauware.de> (supplier of updated runc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sun, 12 Jun 2022 14:49:36 -0400 Source: runc Architecture: source Version: 1.0.0~rc93+ds1-5+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org> Changed-By: Reinhard Tartler <siretart@tauware.de> Closes: 1012030 Changes: runc (1.0.0~rc93+ds1-5+deb11u1) bullseye; urgency=medium . * Team upload. * backport upstream patch: Honor seccomp defaultErrnoRet, Closes: #1012030 Checksums-Sha1: 8a3347c9163502ce1886cc2e5dbaeaebf263c7ef 3372 runc_1.0.0~rc93+ds1-5+deb11u1.dsc 135fe72928f96dc990b7db4af0e24f6689c12b3a 41912 runc_1.0.0~rc93+ds1-5+deb11u1.debian.tar.xz Checksums-Sha256: 14383d6a6f527b4fbba85abf0fc4ff3d2fc60af3522a89be83ab160a5bce2832 3372 runc_1.0.0~rc93+ds1-5+deb11u1.dsc 0e218ba9d5ff8dc478acc06433dda9f7abdda80a5f341c3212eaf975cb0ac1c8 41912 runc_1.0.0~rc93+ds1-5+deb11u1.debian.tar.xz Files: 44a20e9914d9738ed9feedb4e20f2fb0 3372 admin optional runc_1.0.0~rc93+ds1-5+deb11u1.dsc faaa86aeeeb90c5265af52e27d1f2bef 41912 admin optional runc_1.0.0~rc93+ds1-5+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmKmTBoUHHNpcmV0YXJ0 QHRhdXdhcmUuZGUACgkQSadpd5QoJsvKag/8DvnXGmOcMr/a/Cc6kSP8G7MMXpc7 vIkQwKGRg/c2Cip5L1K0Y3agXwUEuQVrNP7mubixSgW/FDch0IuKBZ8CtwyBEP29 NPfutfaX/3aPAWkruwXUQ75D05o+h94NUMDaztRh7GpJzUtS1LsIoAyGkpT2cvlN uwlTey+a8t7ZBMfEov5nNFd3bcWVyL13Y0CuGQemwLn7ftHbqHfbc3IzBktvYOpp NsypKPVXii8Z215CZ5uFUfoSMUhE/XFlH96j3AumOKtlj5eU803x91X0zainVHAf a+g7otHmyGeVrzNuZj27g0tnMVfl2C/FFGIWGx1iP25av2HUmcyJPVXqQtDtbnWL ug9BicK6ahAREcqDDOhz9WDO18j30it/dEah2RjYjnupU3zlpl6f/vcJiWB5jIk7 /Dl2LgACgl88oZCpgOdOOu/VXqN2t4TSVShBlbA69RfPsjq+JFk6pPdVX5c8Hu9A qfhtFrBHsai2tSTzax3oPWTCUxO2wRjJjcGi1Yn8sdM1t+ZO3eiG+gNTz0mZiecr 78XrhcNjksiVqRMExrm6RVh5KGSycnt7/xOwYELo0Wl63MH+fvINlIGP4K1Xn/OP pipcksHJjlcuSAtFFqpYgIx5xSu4Zia/F1BTUs6UtwA+5/C83FNGnNVnlAwgVl+C ztO2mmw2BGm356k= =XFHC -----END PGP SIGNATURE-----