View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000147Rocky-Linux-9podmanpublic2022-07-18 07:482022-08-25 19:43
ReporterJohn Lee Assigned ToLouis Abel  
PriorityimmediateSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Fixed in Version9.0 
Summary0000147: Rocky Linux 9 Podman无法成功启动
Description# systemctl status podman
× podman.service - Podman API Service
     Loaded: loaded (/usr/lib/systemd/system/podman.service; disabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Mon 2022-07-18 23:26:12 CST; 19s ago
TriggeredBy: ● podman.socket
       Docs: man:podman-system-service(1)
    Process: 28280 ExecStart=/usr/bin/podman $LOGGING system service (code=exited, status=125)
   Main PID: 28280 (code=exited, status=125)
        CPU: 112ms

7月 18 23:26:12 rocky-9 systemd[1]: Starting Podman API Service...
7月 18 23:26:12 rocky-9 systemd[1]: Started Podman API Service.
7月 18 23:26:12 rocky-9 podman[28280]: time="2022-07-18T23:26:12+08:00" level=info msg="/usr/bin/podman filtering at log level info"
7月 18 23:26:12 rocky-9 podman[28280]: time="2022-07-18T23:26:12+08:00" level=info msg="Not using native diff for overlay, this may cause degraded performance for building images: kernel has CONFIG_OVERLAY_F>
7月 18 23:26:12 rocky-9 podman[28280]: Error: error opening "/etc/cni/net.d/cni.lock": creating locker directory: mkdir /etc/cni/net.d: permission denied
7月 18 23:26:12 rocky-9 systemd[1]: podman.service: Main process exited, code=exited, status=125/n/a
7月 18 23:26:12 rocky-9 systemd[1]: podman.service: Failed with result 'exit-code'.
lines 1-16/16 (END)
TagsNo tags attached.

Activities

Joey Stanbra

Joey Stanbra

2022-07-29 17:58

reporter   ~0000313

this can also be reproduced trying to start the (root) podman socket from cockpit.
cockpit also shows the following SELinux errors:

SELinux is preventing /usr/bin/podman from create access on the directory net.d.
type=AVC msg=audit(1659117378.738:143): avc: denied { create } for pid=1533 comm="podman" name="net.d" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1659117378.738:143): arch=c000003e syscall=258 success=no exit=-13 a0=ffffffffffffff9c a1=c00098f830 a2=1c0 a3=7ffde8f23080 items=0 ppid=1 pid=1533 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="podman" exe="/usr/bin/podman" subj=system_u:system_r:container_runtime_t:s0 key=(null)

SELinux is preventing /usr/bin/podman from read access on the directory journal.
type=AVC msg=audit(1659117379.226:176): avc: denied { read } for pid=1608 comm="podman" name="journal" dev="tmpfs" ino=62 scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1659117379.226:176): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=c000048570 a2=80000 a3=0 items=0 ppid=1 pid=1608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="podman" exe="/usr/bin/podman" subj=system_u:system_r:container_runtime_t:s0 key=(null)

SELinux is preventing /usr/bin/podman from quotamod access on the filesystem .
type=AVC msg=audit(1659117379.251:177): avc: denied { quotamod } for pid=1608 comm="podman" scontext=system_u:system_r:container_runtime_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
type=SYSCALL msg=audit(1659117379.251:177): arch=c000003e syscall=179 success=no exit=-13 a0=580402 a1=7f0cdc000b90 a2=a1507877 a3=c00083dff8 items=0 ppid=1 pid=1608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="podman" exe="/usr/bin/podman" subj=system_u:system_r:container_runtime_t:s0 key=(null)

this breaks the functionality of cockpit from managing root containers
Louis Abel

Louis Abel

2022-07-29 20:05

administrator   ~0000314

This will be addressed in an upcoming update: container-selinux-2.179.1-1.el9_0.0.1.noarch

Mirrors will have this package likely over the weekend.

Issue History

Date Modified Username Field Change
2022-07-18 07:48 John Lee New Issue
2022-07-29 17:58 Joey Stanbra Note Added: 0000313
2022-07-29 20:05 Louis Abel Assigned To => Louis Abel
2022-07-29 20:05 Louis Abel Status new => resolved
2022-07-29 20:05 Louis Abel Resolution open => fixed
2022-07-29 20:05 Louis Abel Fixed in Version => 9.0
2022-07-29 20:05 Louis Abel Note Added: 0000314
2022-08-25 19:43 Louis Abel Status resolved => closed