View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000147 | Rocky-Linux-9 | podman | public | 2022-07-18 07:48 | 2022-08-25 19:43 |
Reporter | John Lee | Assigned To | Louis Abel | ||
Priority | immediate | Severity | crash | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 9.0 | ||||
Summary | 0000147: Rocky Linux 9 Podman无法成功启动 | ||||
Description | # systemctl status podman × podman.service - Podman API Service Loaded: loaded (/usr/lib/systemd/system/podman.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Mon 2022-07-18 23:26:12 CST; 19s ago TriggeredBy: ● podman.socket Docs: man:podman-system-service(1) Process: 28280 ExecStart=/usr/bin/podman $LOGGING system service (code=exited, status=125) Main PID: 28280 (code=exited, status=125) CPU: 112ms 7月 18 23:26:12 rocky-9 systemd[1]: Starting Podman API Service... 7月 18 23:26:12 rocky-9 systemd[1]: Started Podman API Service. 7月 18 23:26:12 rocky-9 podman[28280]: time="2022-07-18T23:26:12+08:00" level=info msg="/usr/bin/podman filtering at log level info" 7月 18 23:26:12 rocky-9 podman[28280]: time="2022-07-18T23:26:12+08:00" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_F> 7月 18 23:26:12 rocky-9 podman[28280]: Error: error opening "/etc/cni/net.d/cni.lock": creating locker directory: mkdir /etc/cni/net.d: permission denied 7月 18 23:26:12 rocky-9 systemd[1]: podman.service: Main process exited, code=exited, status=125/n/a 7月 18 23:26:12 rocky-9 systemd[1]: podman.service: Failed with result 'exit-code'. lines 1-16/16 (END) | ||||
Tags | No tags attached. | ||||
this can also be reproduced trying to start the (root) podman socket from cockpit. cockpit also shows the following SELinux errors: SELinux is preventing /usr/bin/podman from create access on the directory net.d. type=AVC msg=audit(1659117378.738:143): avc: denied { create } for pid=1533 comm="podman" name="net.d" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1659117378.738:143): arch=c000003e syscall=258 success=no exit=-13 a0=ffffffffffffff9c a1=c00098f830 a2=1c0 a3=7ffde8f23080 items=0 ppid=1 pid=1533 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="podman" exe="/usr/bin/podman" subj=system_u:system_r:container_runtime_t:s0 key=(null) SELinux is preventing /usr/bin/podman from read access on the directory journal. type=AVC msg=audit(1659117379.226:176): avc: denied { read } for pid=1608 comm="podman" name="journal" dev="tmpfs" ino=62 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1659117379.226:176): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=c000048570 a2=80000 a3=0 items=0 ppid=1 pid=1608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="podman" exe="/usr/bin/podman" subj=system_u:system_r:container_runtime_t:s0 key=(null) SELinux is preventing /usr/bin/podman from quotamod access on the filesystem . type=AVC msg=audit(1659117379.251:177): avc: denied { quotamod } for pid=1608 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 type=SYSCALL msg=audit(1659117379.251:177): arch=c000003e syscall=179 success=no exit=-13 a0=580402 a1=7f0cdc000b90 a2=a1507877 a3=c00083dff8 items=0 ppid=1 pid=1608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="podman" exe="/usr/bin/podman" subj=system_u:system_r:container_runtime_t:s0 key=(null) this breaks the functionality of cockpit from managing root containers |
|
This will be addressed in an upcoming update: container-selinux-2.179.1-1.el9_0.0.1.noarch Mirrors will have this package likely over the weekend. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2022-07-18 07:48 | John Lee | New Issue | |
2022-07-29 17:58 | Joey Stanbra | Note Added: 0000313 | |
2022-07-29 20:05 | Louis Abel | Assigned To | => Louis Abel |
2022-07-29 20:05 | Louis Abel | Status | new => resolved |
2022-07-29 20:05 | Louis Abel | Resolution | open => fixed |
2022-07-29 20:05 | Louis Abel | Fixed in Version | => 9.0 |
2022-07-29 20:05 | Louis Abel | Note Added: 0000314 | |
2022-08-25 19:43 | Louis Abel | Status | resolved => closed |