cgroupsv1(?): cannot toggle freezer: cgroups not configured for container #11785
Description
Almost certainly related to #11784, but this one is rootless-only. Seen in f33. This is blocking #11776.
[+0926s] not ok 236 podman selinux: shared context in (some) namespaces
# (from function `is' in file test/system/helpers.bash, line 508,
# in test file test/system/410-selinux.bats, line 126)
# `is "$output" "$context_c1" "new container, run with --pid of existing one "' failed
# $ podman rm --all --force
# $ podman ps --all --external --format {{.ID}} {{.Names}}
# $ podman images --all --format {{.Repository}}:{{.Tag}} {{.ID}}
# quay.io/libpod/testimage:20210610 9f9ec7f2fdef
# $ podman run -d --name myctr quay.io/libpod/testimage:20210610 top
# 3aa057fa598b4cfd220e66e782944b01f59c00afbc7e41a2b4374d0249fa7ad3
# $ podman exec myctr cat -v /proc/self/attr/current
# system_u:system_r:container_t:s0:c226,c233^@
# $ podman run --name myctr2 --ipc container:myctr quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current
# system_u:system_r:container_t:s0:c226,c233^@
# $ podman run --rm --pid container:myctr quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current
# system_u:system_r:container_t:s0:c226,c233^@time="2021-09-28T17:10:04-05:00" level=warning msg="cannot toggle freezer: cgroups not configured for container"
# time="2021-09-28T17:10:04-05:00" level=warning msg="cannot toggle freezer: cgroups not configured for container"
# time="2021-09-28T17:10:04-05:00" level=warning msg="lstat : no such file or directory"
# #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# #| FAIL: new container, run with --pid of existing one
# #| expected: 'system_u:system_r:container_t:s0:c226,c233^@'
# #| actual: 'system_u:system_r:container_t:s0:c226,c233^@time="2021-09-28T17:10:04-05:00" level=warning msg="cannot toggle freezer: cgroups not configured for container"'
# #| > 'time="2021-09-28T17:10:04-05:00" level=warning msg="cannot toggle freezer: cgroups not configured for container"'
# #| > 'time="2021-09-28T17:10:04-05:00" level=warning msg="lstat : no such file or directory"'
# #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
As with #11784, I see hundreds of instances of this in CI logs but cannot reproduce it myself on a cgroupsv1 f33 host. While trying to reproduce it, though, I did get a different error:
$ while :;do bats --filter namespaces /usr/share/podman/test/system/410-selinux.bats || break;done
✗ podman selinux: shared context in (some) namespaces
(from function `die' in file /usr/share/podman/test/system/helpers.bash, line 448,
from function `run_podman' in file /usr/share/podman/test/system/helpers.bash, line 221,
in test file /usr/share/podman/test/system/410-selinux.bats, line 125)
`run_podman run --rm --pid container:myctr $IMAGE cat -v /proc/self/attr/current' failed with status 126
$ podman rm --all --force
$ podman ps --all --external --format {{.ID}} {{.Names}}
$ podman images --all --format {{.Repository}}:{{.Tag}} {{.ID}}
quay.io/libpod/testimage:20210610 9f9ec7f2fdef
$ podman run -d --name myctr quay.io/libpod/testimage:20210610 top
2b49db4f018fd2fa275a93d0a70efbf304bd9d7f25715b91940cc8a57081b25f
$ podman exec myctr cat -v /proc/self/attr/current
system_u:system_r:container_t:s0:c217,c675^@
$ podman run --name myctr2 --ipc container:myctr quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current
system_u:system_r:container_t:s0:c217,c675^@
$ podman run --rm --pid container:myctr quay.io/libpod/testimage:20210610 cat -v /proc/self/attr/current
Error: readlink: Permission denied: OCI permission denied
[ rc=126 (** EXPECTED 0 **) ]