Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend sysbox to allow podman's rootful containers to run within sys-containers #100

Open
rodnymolina opened this issue Oct 22, 2020 · 4 comments
Open

Extend sysbox to allow podman's rootful containers to run within sys-containers #100

rodnymolina opened this issue Oct 22, 2020 · 4 comments
Assignees
@rodnymolina
Labels
enhancement New feature or request
Milestone
v0.4

Comments

@rodnymolina
Copy link
Member

The goal here is to allow Sysbox to run podman inside a system container. Refer to this podman issue for details about the use-case.

After analyzing the issue and making a few adjustments to sysbox i'm now running into this one:

rmolina@dev-vm1:~$ docker run -it --rm --device=/dev/fuse --runtime=sysbox-runc quay.io/podman/stable bash
[root@c9f908a8ef7a /]#

[root@c9f908a8ef7a /]# podman run hello-world
Trying to pull registry.fedoraproject.org/hello-world...
  manifest unknown: manifest unknown
Trying to pull registry.access.redhat.com/hello-world...
  name unknown: Repo not found
Trying to pull registry.centos.org/hello-world...
  manifest unknown: manifest unknown
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 [--------------------------------------] 0.0b / 0.0b
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
Error: openat2 `proc`: Operation not permitted: OCI runtime permission denied error
[root@c9f908a8ef7a /]#

<-- Strace output below -- note that syscall 0x1b5 == 437 == openat2() ...

[pid 2968594] 16:46:16 syscall_0x1b5(0x6, 0x55f30681c180, 0x7ffdc8e34730, 0x18, 0, 0x28000000000000) = -1 EPERM (Operation not permitted) <0.000006>
[pid 2968594] 16:46:16 close(6)         = 0 <0.000007>
[pid 2968594] 16:46:16 write(7, "\1\0\0\0\1\0\0\0openat2 `proc`\0", 23) = 23 <0.000018>
[pid 2968594] 16:46:16 exit_group(1 <unfinished ...>

Looks like a seccomp issue preventing openat2() execution. The fix may need to extend libseccomp as openat2() doesn't seem to be supported (at least not in our private version). If that's the case, and we see nothing else, i believe the fix for this one should be an easy one.

/cc @felipecrs @rhatdan @giuseppe
@rodnymolina rodnymolina added the enhancement New feature or request label Oct 22, 2020
@rodnymolina rodnymolina self-assigned this Oct 22, 2020
@rodnymolina rodnymolina mentioned this issue Oct 22, 2020
Closed
@giuseppe
Copy link

yes, I agree the fix should be in the seccomp profile to allow openat2. Alternatively we could tweak crun to attempt the fallback code anytime openat2 fails, even with EPERM.

@ctalledo ctalledo added this to the v0.4 milestone Feb 24, 2021
@XVilka
Copy link

XVilka commented Sep 21, 2022

i believe the fix for this one should be an easy one.

Hi, had been any updates on this issue since?

@rodnymolina
Copy link
Member Author

@XVilka, unfortunately, no, we haven't prioritized this one yet. If you don't mind, can you please explain the use-case that you have in mind and why podman is a must-have for you (instead of docker within sysbox containers)? Thanks.

@XVilka
Copy link

XVilka commented Sep 26, 2022

@rodnymolina sorry for the late answer. In RedHat distributions podman is more common than Docker (and often a default choice), thus allowing integration with Podman makes running such containers much easier.

@DekusDenial DekusDenial mentioned this issue Apr 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rodnymolina rodnymolina

Labels
enhancement New feature or request
Projects
None yet
Milestone
v0.4
Development

No branches or pull requests
4 participants
@giuseppe @XVilka @ctalledo @rodnymolina