Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't start container: failed to write to /proc/self/oom_score_adj: Permission denied #18846

Closed
RocketRide9 opened this issue Jun 10, 2023 · 1 comment
Closed

Can't start container: failed to write to /proc/self/oom_score_adj: Permission denied #18846

RocketRide9 opened this issue Jun 10, 2023 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@RocketRide9
Copy link

RocketRide9 commented Jun 10, 2023
edited
Loading

Issue Description

Can't start podman container. Probably duplicate of #18555

Steps to reproduce the issue

Steps to reproduce the issue

  1. Execute 'podman --log-level debug start fedora-toolbox-38'
  2. See error

Describe the results you received

Container fails to start

Describe the results you expected

Container starts

podman info output

host:
  arch: amd64
  buildahVersion: 1.30.0
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.7-2.fc38.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: '
  cpuUtilization:
    idlePercent: 90.46
    systemPercent: 1.91
    userPercent: 7.63
  cpus: 4
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: workstation
    version: "38"
  eventLogger: journald
  hostname: fedora
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.3.6-200.fc38.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 9106989056
  memTotal: 16471113728
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.8.5-1.fc38.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.5
      commit: b6f80f766c9a89eb7b1440c0a70ab287434b17ed
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-12.fc38.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.3
  swapFree: 8589930496
  swapTotal: 8589930496
  uptime: 0h 54m 47.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/dell/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/dell/.local/share/containers/storage
  graphRootAllocated: 254356226048
  graphRootUsed: 114808053760
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 2
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/dell/.local/share/containers/storage/volumes
version:
  APIVersion: 4.5.1
  Built: 1685123928
  BuiltTime: Sat May 27 00:58:48 2023
  GitCommit: ""
  GoVersion: go1.20.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.5.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Fedora 38
kernel 6.3.6-200.fc38.x86_64

Additional information

 ~ podman --log-level debug start fedora-toolbox-38
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called start.PersistentPreRunE(podman --log-level debug start fedora-toolbox-38) 
DEBU[0000] Using conmon: "/usr/bin/conmon"              
DEBU[0000] Initializing boltdb state at /home/dell/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/dell/.local/share/containers/storage 
DEBU[0000] Using run root /run/user/1000/containers     
DEBU[0000] Using static dir /home/dell/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp      
DEBU[0000] Using volume path /home/dell/.local/share/containers/storage/volumes 
DEBU[0000] Using transient store: false                 
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Cached value indicated that overlay is supported 
DEBU[0000] Cached value indicated that metacopy is not being used 
DEBU[0000] Cached value indicated that native-diff is usable 
DEBU[0000] backingFs=btrfs, projectQuotaSupported=false, useNativeDiff=true, usingMetacopy=false 
DEBU[0000] Initializing event backend journald          
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument 
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument 
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument 
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument 
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument 
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument 
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument 
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] Using OCI runtime "/usr/bin/crun"            
INFO[0000] Setting parallel job count to 13             
DEBU[0000] Cached value indicated that idmapped mounts for overlay are not supported 
DEBU[0000] Check for idmapped mounts support            
DEBU[0000] overlay: mount_data=lowerdir=/home/dell/.local/share/containers/storage/overlay/l/YBWVW3EXAIRBD5NGAL67Y6MKKY:/home/dell/.local/share/containers/storage/overlay/l/YBWVW3EXAIRBD5NGAL67Y6MKKY/../diff1:/home/dell/.local/share/containers/storage/overlay/l/CZL2TLO6YPBTWBWZGUZETV2W3L:/home/dell/.local/share/containers/storage/overlay/l/YKRXF6BWJAYNLPX4MXWTJ6TD7K,upperdir=/home/dell/.local/share/containers/storage/overlay/a36b0ef7ba5938a951eb657d915d0ecbf69f5b520f081dccd92e7bfba59c9e48/diff,workdir=/home/dell/.local/share/containers/storage/overlay/a36b0ef7ba5938a951eb657d915d0ecbf69f5b520f081dccd92e7bfba59c9e48/work,,userxattr,context="system_u:object_r:container_file_t:s0:c1022,c1023" 
DEBU[0000] Mounted container "f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516" at "/home/dell/.local/share/containers/storage/overlay/a36b0ef7ba5938a951eb657d915d0ecbf69f5b520f081dccd92e7bfba59c9e48/merged" 
DEBU[0000] Created root filesystem for container f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516 at /home/dell/.local/share/containers/storage/overlay/a36b0ef7ba5938a951eb657d915d0ecbf69f5b520f081dccd92e7bfba59c9e48/merged 
DEBU[0000] Not modifying container f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516 /etc/passwd 
DEBU[0000] Not modifying container f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516 /etc/group 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode subscription 
DEBU[0000] Setting Cgroups for container f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516 to user.slice:libpod:f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516 
DEBU[0000] Set root propagation to "rslave"             
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Workdir "/" resolved to host path "/home/dell/.local/share/containers/storage/overlay/a36b0ef7ba5938a951eb657d915d0ecbf69f5b520f081dccd92e7bfba59c9e48/merged" 
DEBU[0000] Created OCI spec for container f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516 at /home/dell/.local/share/containers/storage/overlay-containers/f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516/userdata/config.json 
DEBU[0000] /usr/bin/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /usr/bin/conmon               args="[--api-version 1 -c f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516 -u f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516 -r /usr/bin/crun -b /home/dell/.local/share/containers/storage/overlay-containers/f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516/userdata -p /run/user/1000/containers/overlay-containers/f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516/userdata/pidfile -n fedora-toolbox-38 --exit-dir /run/user/1000/libpod/tmp/exits --full-attach -s -l journald --log-level debug --syslog --conmon-pidfile /run/user/1000/containers/overlay-containers/f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/dell/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --network-config-dir --exit-command-arg  --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /home/dell/.local/share/containers/storage/volumes --exit-command-arg --db-backend --exit-command-arg boltdb --exit-command-arg --transient-store=false --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516]"
[conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied

DEBU[0000] Received: -1                                 
DEBU[0000] Cleaning up container f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516 
DEBU[0000] Network is already cleaned up, skipping...   
DEBU[0000] Unmounted container "f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516" 
Error: unable to start container "f54547b6ff2b8dbee252a958b13d870ce7c7219bbd0255b37951befd47601516": crun: [conmon:d]: failed to write to /proc/self/oom_score_adj: Permission denied

setrlimit `RLIMIT_NPROC`: Operation not permitted: OCI permission denied
DEBU[0000] Shutting down engines
@RocketRide9 RocketRide9 added the kind/bug Categorizes issue or PR as related to a bug. label Jun 10, 2023
@Luap99
Copy link
Member

Luap99 commented Jun 12, 2023

This is a duplicate of #18714, you need to recreate the container or change your ulimits back.

@Luap99 Luap99 closed this as not planned Won't fix, can't repro, duplicate, stale Jun 12, 2023
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 11, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Luap99 @RocketRide9