[Podman] Re: can not run ubi7-init systemd container, fedora systemd container works fine

Thank you! Works exactly as you wrote down:     $ sudo podman info | grep -e cgroup -e crun       cgroupManager: systemd       cgroupVersion: v2         name: crun         package: crun-0.16-3.fc33.x86_64         path: /usr/bin/crun           crun version 0.16     $ sudo podman run -ti -p 22 --privileged=true localhost/rhel7-ubi-init-smallest     Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted     [!!!!!!] Failed to mount API filesystems, freezing.     $ sudo mkdir /sys/fs/cgroup/systemd     $ sudo mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd     $ sudo podman run --annotation run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup -ti -p 22 --privileged=true localhost/rhel7-ubi-init-smallest Thank you a lot, Jan

On 2021-01-05 09:52 +0100, Giuseppe Scrivano wrote: > Hi Jan, > > are you using cgroup v2 on your host?  podman info can confirm that. > > If so, the ubi7 image uses a systemd version that has no support for > cgroup v2. > > What you can do is: > > 1) use cgroup v1 on the host > 2) use ubi:8 for the container > 3) if you are using crun, you can mount cgroup v1 in the container: > > # mkdir /sys/fs/cgroup/systemd > # mount none -t cgroup -o none,name=systemd /sys/fs/cgroup/systemd > # podman run --annotation > run.oci.systemd.force_cgroup_v1=/sys/fs/cgroup .... > > Giuseppe > > > > Jan Hutař <jhutar(a)redhat.com&gt; writes: > >> Hello! >> >> I have an issue with running "ubi7-init" based container. When I >> base mine >> container on "fedora", it works fine: >> >>     $ cat Containerfile >>     FROM fedora >>     RUN dnf -y install httpd; dnf clean all; systemctl enable httpd >>     EXPOSE 80 >>     CMD [ "/sbin/init" ] >> >> and then: >> >>     $ sudo podman build -f Containerfile >>     $ sudo podman run -ti -p 80:80 >> 20185593d0f96c4dee56e351eae4754cdd429679c1b645dae1b6f24880ce33fc >>     systemd v246.6-3.fc33 running in system mode. (+PAM +AUDIT >> +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT >> +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN >> +PCRE2 default-hierarchy=unified) >>     [...] >>     [  OK  ] Started The Apache HTTP Server. >>     [...] >> >> But when I try the same with ubi7-init based container (or rhel7-init): >> >>     $ cat Containerfile >>     FROM registry.access.redhat.com/ubi7/ubi-init >>     RUN echo -e >> "[repo1]\nname=repo1\nbaseurl=http://repos.example.com/RHEL-7/7.9/Server/x86_64/os/\ngpgcheck=0\nenabled=1" >> >>> /etc/yum.repos.d/repo1.repo; yum -y install httpd; yum clean all; >> systemctl enable httpd >>     EXPOSE 80 >>     CMD [ "/sbin/init" ] >> >> it fails: >> >>     $ sudo podman run -ti -p 80:80 >> d872b16b8d0f9718c60420e3569cb4d5ddd16053fb72903e70d7b62ba3f34964 >>     Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not >> permitted >>     [!!!!!!] Failed to mount API filesystems, freezing. >> >> And same with privileged: >> >>     $ sudo podman run -ti -p 80:80 --privileged=true >> d872b16b8d0f9718c60420e3569cb4d5ddd16053fb72903e70d7b62ba3f34964 >>     Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not >> permitted >>     [!!!!!!] Failed to mount API filesystems, freezing. >> >> I have these versions: >> >>     $ rpm -q fedora-release-common podman >>     fedora-release-common-33-3.noarch >>     podman-2.2.1-1.fc33.x86_64 >>     $ sudo podman version >>     Version:      2.2.1 >>     API Version:  2.1.0 >>     Go Version:   go1.15.5 >>     Built:        Tue Dec  8 15:37:50 2020 >>     OS/Arch:      linux/amd64 >> >> Running very similar container on RHEL7 with >> docker-1.10.3-59.el7.x86_64 >> (there is 1.13.1 available, but have not tried) works fine. >> >> Please, any idea on what I'm doing wrong? >> >> Thank you in advance and happy new year! >> >> Regards, >> Jan >