podman run --uidmap: fails on cgroups v1

[edsantiago]

Anything using --uidmap is failing on cgroups v1 with runc:

# podman run --uidmap 0:10001:10002 --rm --hostname BtoukoyxkBlQPjuQDYLbVeZzC quay.io/libpod/testimage:20220615 grep BtoukoyxkBlQPjuQDYLbVeZzC /etc/hosts
Error: runc: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount /proc/self/fd/11:/sys/fs/cgroup/systemd (via /proc/self/fd/12), flags: 0x20502f: operation not permitted: OCI permission denied
[ rc=126 (** EXPECTED 0 **) ]

[giuseppe]

I've launched manually that command in a Ubuntu 2204 VM configured with cgroupv1 with:

# sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"/' /etc/default/grub
# upgrade-grub
# reboot

and I don't see that failure:

# podman --runtime runc run --uidmap 0:10001:10002 --rm --hostname BtoukoyxkBlQPjuQDYLbVeZzC quay.io/libpod/testimage:20220615 grep BtoukoyxkBlQPjuQDYLbVeZzC /etc/hosts
10.88.0.14      BtoukoyxkBlQPjuQDYLbVeZzC nostalgic_euclid

# podman --runtime /root/runc-upstream/runc run --uidmap 0:10001:10002 --rm --hostname BtoukoyxkBlQPjuQDYLbVeZzC quay.io/libpod/testimage:20220615 grep BtoukoyxkBlQPjuQDYLbVeZzC /etc/hosts
10.88.0.15      BtoukoyxkBlQPjuQDYLbVeZzC busy_thompson

# podman --cgroup-manager cgroupfs --runtime /root/runc/runc run --uidmap 0:10001:10002 --rm --hostname BtoukoyxkBlQPjuQDYLbVeZzC quay.io/libpod/testimage:20220615 grep BtoukoyxkBlQPjuQDYLbVeZzC /etc/hosts
10.88.0.16      BtoukoyxkBlQPjuQDYLbVeZzC keen_booth

# podman --cgroup-manager cgroupfs --runtime runc run --uidmap 0:10001:10002 --rm --hostname BtoukoyxkBlQPjuQDYLbVeZzC quay.io/libpod/testimage:20220615 grep BtoukoyxkBlQPjuQDYLbVeZzC /etc/hosts
10.88.0.17      BtoukoyxkBlQPjuQDYLbVeZzC objective_fermat

same results using Podman from the main branch.

Could be something in our images or the runc version used?

@cevich could you point me to how the image was created?

[edsantiago]

There's a script called hack/get_ci_vm that (if it works) can be used to get a CI VM that you can ssh into.

What I normally do these days is, if I have a PR that fails, go to the Cirrus log page, there's a button at top right that says Re-Run, it has an option to Re-run with an in-browser ssh session. It doesn't last long, but it works well enough. You could submit a PR that comments out my Skips, then when it fails, do that magic Re-run and poke in the system.

(Or, you can see if hack/get_ci_vm will work for you.)

[giuseppe]

Thanks! That was helpful.

It is an issue in the runc version installed in the Ubuntu image.

It is already fixed upstream with d370e3c04660201e72ba6968342ce964c31a2d7f