rootless podman with systemd doesn't work in jenkins

[CendioOssman]

/kind bug

Description

We're trying to to get a container running under Jenkins in rootless mode and are failing miserably. This container needs to have systemd running, but it fails to start properly for unknown reasons. This is a simple test build that fails (based on #8965):

podman run --detach --rm --privileged --name test --systemd=true ubi8/ubi-init /sbin/init
podman exec test systemctl status || true
podman stop test

Describe the results you received:

+ podman run --detach --rm --privileged --name test --systemd=true ubi8/ubi-init /sbin/init
e81859143131d2a96121ed521b42dcb8363b85a5885226f7cb58d80f356bb7e2
+ podman exec test systemctl status
Failed to connect to bus: No such file or directory
+ true
+ podman stop test
e81859143131d2a96121ed521b42dcb8363b85a5885226f7cb58d80f356bb7e2

Describe the results you expected:

+ podman run --detach --rm --privileged --name test --systemd=true ubi8/ubi-init /sbin/init
e81859143131d2a96121ed521b42dcb8363b85a5885226f7cb58d80f356bb7e2
+ podman exec test systemctl status
● 180db4886d56
    State: degraded
     Jobs: 0 queued
   Failed: 1 units
    Since: Wed 2021-02-17 12:44:51 UTC; 9s ago
   CGroup: /
           ├─init.scope
           │ ├─ 1 /sbin/init
           │ └─23 systemctl status
           └─system.slice
             ├─systemd-journald.service
             │ └─10 /usr/lib/systemd/systemd-journald
             └─dbus.service
               └─21 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
+ true
+ podman stop test
e81859143131d2a96121ed521b42dcb8363b85a5885226f7cb58d80f356bb7e2

Additional information you deem important (e.g. issue happens only occasionally):

This is on a RHEL 8 system. It's been reconfigured to use cgroups v2 and we've made sure that subuid/subgid are configured for the jenkins user. Jenkins is also configured to run as unconfined_t to avoid SELinux issues.

Running those same commands as a root works fine. As does running them as a different user. Both accessed using ssh.

Using sudo podman in jenkins solves the issue, but we'd rather avoid that if we don't need root privileges.

#7417 might be related, but I don't understand the details enough to say for sure.

Output of podman version:

Version:      2.2.1
API Version:  2
Go Version:   go1.14.7
Built:        Mon Feb  8 22:19:06 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.18.0
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.22-3.module+el8.3.1+9857+68fb1526.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.22, commit: a40e3092dbe499ea1d85ab339caea023b74829b9'
  cpus: 8
  distribution:
    distribution: '"rhel"'
    version: "8.3"
  eventLogger: file
  hostname: build.lkpg.cendio.se
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 980
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 984
      size: 1
    - container_id: 1
      host_id: 10000
      size: 65536
  kernel: 4.18.0-240.15.1.el8_3.x86_64
  linkmode: dynamic
  memFree: 3942256640
  memTotal: 8145571840
  ociRuntime:
    name: crun
    package: crun-0.16-2.module+el8.3.1+9857+68fb1526.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.16
      commit: eb0145e5ad4d8207e84a327248af76663d4e50dd
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /tmp/podman-run-984/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /bin/slirp4netns
    package: slirp4netns-1.1.8-1.module+el8.3.1+9857+68fb1526.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.4.3
  swapFree: 0
  swapTotal: 0
  uptime: 1h 10m 15.64s (Approximately 0.04 days)
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /var/lib/jenkins/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /bin/fuse-overlayfs
      Package: fuse-overlayfs-1.3.0-2.module+el8.3.1+9857+68fb1526.x86_64
      Version: |-
        fusermount3 version: 3.2.1
        fuse-overlayfs: version 1.3
        FUSE library version 3.2.1
        using FUSE kernel interface version 7.26
  graphRoot: /var/lib/jenkins/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 8
  runRoot: /tmp/run-984/containers
  volumePath: /var/lib/jenkins/.local/share/containers/storage/volumes
version:
  APIVersion: "2"
  Built: 1612819146
  BuiltTime: Mon Feb  8 22:19:06 2021
  GitCommit: ""
  GoVersion: go1.14.7
  OsArch: linux/amd64
  Version: 2.2.1

Package info (e.g. output of rpm -q podman or apt list podman):

podman-2.2.1-7.module+el8.3.1+9857+68fb1526.x86_64
crun-0.16-2.module+el8.3.1+9857+68fb1526.x86_64
runc-1.0.0-70.rc92.module+el8.3.1+9857+68fb1526.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

We have not tested with a newer version, no. The troubleshooting guide didn't seem to have anything relevant to our case.

Additional environment details (AWS, VirtualBox, physical, etc.):

Virtual machine on a vSphere environment.

[rhatdan]

I think you got to make sure dbus is running.

[CendioOssman]

In the container? I would assume that's the responsibility of systemd to start?

[mheon]

Can you do a podman logs on the container and see if there are any errors? You may also want to try --systemd=always instead of --systemd=true.

[CendioOssman]

I think you got to make sure dbus is running.

Or did you perhaps mean for the user on the host? You seem to be on to something there.

If I switch to the jenkins user using machinectl shell [email protected] /bin/bash --login, then things start working.

And to be clear, things start working for the jenkins service, not just for the shell I got from machinectl.

So on that note, loginctl enable-linger jenkins also seems to be sufficient to get things running.

Besides things working, I also see the output from podman info --debug changing to:

  cgroupManager: systemd

So it seems I have a fix. :)

However is it possible to make this less surprising? And perhaps automatic? I.e. could podman trigger systemd to set up what it is podman needs?

[CendioOssman]

Can you do a podman logs on the container and see if there are any errors? You may also want to try --systemd=always instead of --systemd=true.

No change as far as I can tell. And no output from podman logs:

+ podman run --detach --rm --privileged --name test --systemd=always ubi8/ubi-init /sbin/init
9415f33fd36561146786d3190ec653132596414111b17a3c0267c5bf0c8c7c33
+ podman exec test systemctl status
Failed to connect to bus: No such file or directory
+ true
+ podman logs test
+ podman stop test
9415f33fd36561146786d3190ec653132596414111b17a3c0267c5bf0c8c7c33

[mheon]

Can you try running the systemd container attached, instead of detached, and see if there's any output? Podman itself seems to be working fine here, so without getting error messages out of systemd in the container it will be very difficult to debug this.

[rhatdan]

The systemd flags are not needed. Podman will figure this out itself. Podman really knows nothing about what is hapening inside of the continer other then it's entrypoint is init so it sets itself up for systemd. If systemd needs special settings to run the dbus daemon then this should be built into the ubi8-init image. The image is in charge of defining how to start an apllication.

[mheon]

@rhatdan I strongly suspect that the issue here is that systemd is not starting correctly in the container, and not anything directly related to dbus.

[rhatdan]

Even if this is the case, there is nothing that can be done to make systemd start correctly from a POdman point of view, that we know about. But most likely there is something that can be done in the image, to ensure that the dbus gets started or reports an error why it did not start.

[CendioOssman]

Can you try running the systemd container attached, instead of detached, and see if there's any output? Podman itself seems to be working fine here, so without getting error messages out of systemd in the container it will be very difficult to debug this.

I don't seem to be getting any output when I do that. Perhaps some flags are needed to get logging on stdout/stderr from systemd?

Even if this is the case, there is nothing that can be done to make systemd start correctly from a POdman point of view, that we know about. But most likely there is something that can be done in the image, to ensure that the dbus gets started or reports an error why it did not start.

I see the same issue with a centos8 image, but that might be almost identical to the ubi8 one.

Given the change in output of cgroupManager I'm not sure that this is just an image issue. Couldn't it be that podman is failing to provide the cgroup functionality that the image needs to function correctly?

[CendioOssman]

After a reboot I'm instead getting this for some reason:

+ podman run --rm --name autotests --detach --privileged autotests
Error: OCI runtime error: the requested cgroup controller `pids` is not available

So definitely not a problem with the image here as I don't get as far as starting it.

I have not had time to debug things further. Should I open a new issue for this?

[rhatdan]

This looks like the pids cgroup is not enabled?

[CendioOssman]

I'm afraid I'm not familiar enough with cgroups to know what that means. :/

Is it a bug? Misconfiguration? If so, where? podman? systemd? kernel?

I'll try to debug this during the day, but any hints are much welcome.

[rhatdan]

Systemd setup, I think. @giuseppe WDYT?

[giuseppe]

I think the issue is that we are setting the default pids limit even with cgroupfs and the rootless user has no way to configure cgroupfs

[CendioOssman]

The output from podman info --debug is identical between the working and broken case, except for free memory and uptime.

I also got it worked randomly again, but I'm failing to pinpoint exactly exactly what gets things going. Perhaps it's some background job and that's why I can't make sense of it...

[CendioOssman]

I also seem to see some difference in /sys/fs/cgroup. This is the diff between working and broken for the jenkins user's slice:

@@ -837,844 +878,1744 @@
 /sys/fs/cgroup/user.slice/cgroup.threads
 /sys/fs/cgroup/user.slice/user-984.slice
 /sys/fs/cgroup/user.slice/user-984.slice/cgroup.events
+/sys/fs/cgroup/user.slice/user-984.slice/memory.events
 /sys/fs/cgroup/user.slice/user-984.slice/io.pressure
 /sys/fs/cgroup/user.slice/user-984.slice/cgroup.procs
+/sys/fs/cgroup/user.slice/user-984.slice/memory.swap.current
+/sys/fs/cgroup/user.slice/user-984.slice/memory.swap.max
+/sys/fs/cgroup/user.slice/user-984.slice/memory.swap.events
 /sys/fs/cgroup/user.slice/user-984.slice/cgroup.max.descendants
 /sys/fs/cgroup/user.slice/user-984.slice/cpu.stat
 /sys/fs/cgroup/user.slice/user-984.slice/memory.pressure
+/sys/fs/cgroup/user.slice/user-984.slice/memory.current
+/sys/fs/cgroup/user.slice/user-984.slice/pids.current
+/sys/fs/cgroup/user.slice/user-984.slice/memory.stat
+/sys/fs/cgroup/user.slice/user-984.slice/pids.events
+/sys/fs/cgroup/user.slice/user-984.slice/memory.low
 /sys/fs/cgroup/user.slice/user-984.slice/cpu.pressure
 /sys/fs/cgroup/user.slice/user-984.slice/cgroup.type
 /sys/fs/cgroup/user.slice/user-984.slice/cgroup.stat
 /sys/fs/cgroup/user.slice/user-984.slice/cgroup.threads
 /sys/fs/cgroup/user.slice/user-984.slice/cgroup.freeze
+/sys/fs/cgroup/user.slice/user-984.slice/memory.min

[omenos]

I am also running into this situation in a rootless mode on RHEL 8.3. I haven't been on my desktop since Dec 1, and I just upgraded it to the latest 8.3 packages and I can no longer run any container on my system via rootless. I had tried renaming my user's libpod.conf to containers.conf after getting a deprecation notice, and then ultimately replaced it with /usr/share/containers/containers.conf, setting the default runtime to "crun". I have CGroupsV2 enabled on my workstation with systemd.unified_cgroup_hierarchy=1. I have also tried replacing the storage.conf with /etc/containers/storage.conf and modifying it as needed for crun, but no dice on that either. Neither "systemd" or "cgroupfs" had any effect in containers.conf.

$ podman run --rm -it registry.redhat.io/ubi8/ubi:latest
Error: OCI runtime error: the requested cgroup controller `pids` is not available

podman version

Version:      2.2.1
API Version:  2
Go Version:   go1.14.7
Built:        Mon Feb  8 16:19:06 2021
OS/Arch:      linux/amd64

podman info --debug

host:
  arch: amd64
  buildahVersion: 1.18.0
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.0.22-3.module+el8.3.1+9857+68fb1526.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.22, commit: a40e3092dbe499ea1d85ab339caea023b74829b9'
  cpus: 12
  distribution:
    distribution: '"rhel"'
    version: "8.3"
  eventLogger: file
  hostname: workstation.omenos.local
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 4.18.0-240.15.1.el8_3.x86_64
  linkmode: dynamic
  memFree: 14667104256
  memTotal: 33434611712
  ociRuntime:
    name: crun
    package: crun-0.16-2.module+el8.3.1+9857+68fb1526.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.16
      commit: eb0145e5ad4d8207e84a327248af76663d4e50dd
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  rootless: true
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.8-1.module+el8.3.1+9857+68fb1526.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.3.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.4.3
  swapFree: 16894652416
  swapTotal: 16894652416
  uptime: 1h 36m 51.14s (Approximately 0.04 days)
registries:
  search:
  - registry.redhat.io
  - registry.access.redhat.com
  - registry.fedoraproject.org
  - registry.centos.org
  - docker.io
store:
  configFile: /home/omenos/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.3.0-2.module+el8.3.1+9857+68fb1526.x86_64
      Version: |-
        fusermount3 version: 3.2.1
        fuse-overlayfs: version 1.3
        FUSE library version 3.2.1
        using FUSE kernel interface version 7.26
  graphRoot: /home/omenos/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 1
  runRoot: /run/user/1000
  volumePath: /home/omenos/.local/share/containers/storage/volumes
version:
  APIVersion: "2"
  Built: 1612819146
  BuiltTime: Mon Feb  8 16:19:06 2021
  GitCommit: ""
  GoVersion: go1.14.7
  OsArch: linux/amd64
  Version: 2.2.1

~/.config/containers/storage.conf

[storage]
  driver = "overlay"
  runroot = "/run/user/1000"
  graphroot = "/home/omenos/.local/share/containers/storage"
  [storage.options]
    size = ""
    remap-uids = ""
    remap-gids = ""
    remap-user = ""
    remap-group = ""
    ostree_repo = ""
    skip_mount_home = ""
    mount_program = "/usr/bin/fuse-overlayfs"
    mountopt = ""
    [storage.options.thinpool]
      autoextend_percent = ""
      autoextend_threshold = ""
      basesize = ""
      blocksize = ""
      directlvm_device = ""
      directlvm_device_force = ""
      fs = ""
      log_level = ""
      min_free_space = ""
      mkfsarg = ""
      mountopt = ""
      use_deferred_deletion = ""
      use_deferred_removal = ""
      xfs_nospace_max_retries = ""

[CendioOssman]

@giuseppe, @rhatdan, any suggestions? I'm not having any luck figuring out what gets things going so I could use some suggestions. Running podman as root works fine, but rootless remains broken.

[omenos]

@CendioOssman I think we may need to file a bug against RHEL in Bugzilla. I just reverted to CGroupsV1 on my workstation and rootless containers work just fine again, at least in basic testing.

There's this[0], but I'm not sure if it's exactly related. Podman 3.x will be in RHEL 8.4 due out around Summit, so maybe holding back on cgv2 unti then is the best choice.

[CendioOssman]

Running systemd in a rootless container doesn't seem to work with cgroups v1, so that's not really an option unfortunately.

I see you've filed this bug with Red Hat, but I'm also finding this. So dup?

[giuseppe]

there is currently a systemd issue on RHEL 8.3 when running on cgroup v2 that prevents controllers to be delegated to unprivileged users. This is being worked on as we speak.

In the meanwhile you can try to workaround the issue by removing the pids limit in the containers.conf file. It won't make the containers less safe than when running on cgroup v1 (since cgroups are never used there for rootless users).

[CendioOssman]

But it is less safe when running cgroup v2? Or the workaround won't work?

[giuseppe]

having a pids limit is surely better as it avoids that a container can create too many processes, so at the moment it is either using cgroup v1 or cgroup v2 without the pids cgroup configured

[CendioOssman]

Great, thanks!

So with that I seem to have the workarounds needed. To summarize, for those finding this issue later, what you need to do is:

1. sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=1"
2. reboot
3. sudo systemctl enable-linger jenkins
4. configure pids_limit=0 under [containers] in /etc/containers/containers.conf (until https://bugzilla.redhat.com/show_bug.cgi?id=1897579 is fixed)

[omenos]

@CendioOssman that's a good point, I wasn't thinking about systemd in a container. As for the ticket, there were a few regarding rootless but they seemed to be reporting different errors. I may have just missed that one pointing out what was going on. I'll link mine to that one and close it.

And I can confirm on my side that workaround works just fine, back to cgroupsv2 we go! Thanks @giuseppe

[rhatdan]

Once you go cgroups V2, you never go back.

[jonz-secops]

@CendioOssman as I do not have a containers.conf in /etc/containers would I be okay to cp the file from /usr/share/containers

I need to try adding the pids modification you have, with the first 3 steps, it's not enough to get it working.

[jonz-secops]

@CendioOssman as I do not have a containers.conf in /etc/containers would I be okay to cp the file from /usr/share/containers

I need to try adding the pids modification you have, with the first 3 steps, it's not enough to get it working.

I was able to use the containers.conf and copy the commented pids_limit config line into pids_limit = 0 and all was good, thanks!