Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cgroupsv1(?): cannot toggle freezer: cgroups not configured for container #11785

Closed
edsantiago opened this issue Sep 29, 2021 · 6 comments · Fixed by #11798
Closed

cgroupsv1(?): cannot toggle freezer: cgroups not configured for container #11785

edsantiago opened this issue Sep 29, 2021 · 6 comments · Fixed by #11798
Assignees
@giuseppe
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. rootless

Comments

@edsantiago
Copy link
Member

Almost certainly related to #11784, but this one is rootless-only. Seen in f33. This is blocking #11776.

[+0926s] not ok 236 podman selinux: shared context in (some) namespaces
         # (from function `is' in file test/system/helpers.bash, line 508,
         #  in test file test/system/410-selinux.bats, line 126)
         #   `is "$output" "$context_c1" "new container, run with --pid of existing one "' failed
         # $ podman rm --all --force
         # $ podman ps --all --external --format {{.ID}} {{.Names}}
         # $ podman images --all --format {{.Repository}}:{{.Tag}} {{.ID}}
         # quay.io/libpod/testimage:20210610 9f9ec7f2fdef
         # $ podman run -d --name myctr quay.io/libpod/testimage:20210610 top
         # 3aa057fa598b4cfd220e66e782944b01f59c00afbc7e41a2b4374d0249fa7ad3
         # $ podman exec myctr cat -v /proc/self/attr/current
         # system_u:system_r:container_t:s0:c226,c233^@
         # $ podman run --name myctr2 --ipc container:myctr quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current
         # system_u:system_r:container_t:s0:c226,c233^@
         # $ podman run --rm --pid container:myctr quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current
         # system_u:system_r:container_t:s0:c226,c233^@time="2021-09-28T17:10:04-05:00" level=warning msg="cannot toggle freezer: cgroups not configured for container"
         # time="2021-09-28T17:10:04-05:00" level=warning msg="cannot toggle freezer: cgroups not configured for container"
         # time="2021-09-28T17:10:04-05:00" level=warning msg="lstat : no such file or directory"
         # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
         # #|     FAIL: new container, run with --pid of existing one 
         # #| expected: 'system_u:system_r:container_t:s0:c226,c233^@'
         # #|   actual: 'system_u:system_r:container_t:s0:c226,c233^@time="2021-09-28T17:10:04-05:00" level=warning msg="cannot toggle freezer: cgroups not configured for container"'
         # #|         > 'time="2021-09-28T17:10:04-05:00" level=warning msg="cannot toggle freezer: cgroups not configured for container"'
         # #|         > 'time="2021-09-28T17:10:04-05:00" level=warning msg="lstat : no such file or directory"'
         # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

As with #11784, I see hundreds of instances of this in CI logs but cannot reproduce it myself on a cgroupsv1 f33 host. While trying to reproduce it, though, I did get a different error:

$ while :;do bats --filter namespaces /usr/share/podman/test/system/410-selinux.bats || break;done
 ✗ podman selinux: shared context in (some) namespaces
   (from function `die' in file /usr/share/podman/test/system/helpers.bash, line 448,
    from function `run_podman' in file /usr/share/podman/test/system/helpers.bash, line 221,
    in test file /usr/share/podman/test/system/410-selinux.bats, line 125)
     `run_podman run --rm --pid container:myctr $IMAGE cat -v /proc/self/attr/current' failed with status 126
   $ podman rm --all --force
   $ podman ps --all --external --format {{.ID}} {{.Names}}
   $ podman images --all --format {{.Repository}}:{{.Tag}} {{.ID}}
   quay.io/libpod/testimage:20210610 9f9ec7f2fdef
   $ podman run -d --name myctr quay.io/libpod/testimage:20210610 top
   2b49db4f018fd2fa275a93d0a70efbf304bd9d7f25715b91940cc8a57081b25f
   $ podman exec myctr cat -v /proc/self/attr/current
   system_u:system_r:container_t:s0:c217,c675^@
   $ podman run --name myctr2 --ipc container:myctr quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current
   system_u:system_r:container_t:s0:c217,c675^@
   $ podman run --rm --pid container:myctr quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current
   Error: readlink: Permission denied: OCI permission denied
   [ rc=126 (** EXPECTED 0 **) ]
@edsantiago edsantiago added flakes Flakes from Continuous Integration rootless labels Sep 29, 2021
@edsantiago edsantiago mentioned this issue Sep 29, 2021
Merged
@giuseppe
Copy link
Member

I think we should not allow the combination --pid, rootless and cgroup v1.

If there is no usable cgroup, as it is the case of rootless on cgroup v1, then it is impossible to know what processes a container is running since it has no pid namespace.

@giuseppe
Copy link
Member

my suggestion is to skip this test for rootless on cgroup v1

@giuseppe giuseppe mentioned this issue Sep 30, 2021
Merged
@giuseppe
Copy link
Member

opened #11798

also, the first error is coming from runc.

Are you also trying to reproduce with runc?

@edsantiago
Copy link
Member Author

Are you also trying to reproduce with runc?

I have no idea; I just set cgroups to v1 on f33 (which took me several hours to figure out, because 1minutetip is not normal). I didn't remember about runc/crun.

@giuseppe
Copy link
Member

I think by default we use crun.

You'd need to force runc, with --runtime /usr/bin/runc I can easily reproduce locally.

@edsantiago edsantiago removed the flakes Flakes from Continuous Integration label Sep 30, 2021
@edsantiago
Copy link
Member Author

Thank you, that explains why I couldn't reproduce. I've removed the flakes label.

giuseppe added a commit to giuseppe/libpod that referenced this issue Sep 30, 2021
@giuseppe
test: skip test on rootless cgroupsv1
788106d 
skip the test "podman selinux: shared context in (some) namespaces" on
cgroupsv1 when running as rootless since the tests requires
--pid=container:.

If the container runtime cannot use cgroupsv1 and the container has no
pid namespace. then it is not possible to correctly terminate the
container.  Without a cgroup or a pid namespace, the runtime has no
control on what processes are in the container.

Closes: containers#11785

Signed-off-by: Giuseppe Scrivano <[email protected]>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@giuseppe giuseppe

Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. rootless
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

test: skip test on rootless cgroupsv1 giuseppe/libpod
2 participants
@giuseppe @edsantiago