3:47 p.m.
On 4/28/21 16:46, lejeczek via Podman wrote:
On 28/04/2021 19:56, Daniel Walsh wrote:
> On 4/28/21 11:02, lejeczek via Podman wrote:
>> Hi guys
>>
>> I'm trying a popular image, perhaps very popular(not sure if with
>> podman consumers though) off which a rootful container produces no
>> logs.
>> I've tried podman vers 2.0 & 3.1, with the same results.
>> Adding debug to:
>>
>> -> $ podman container restart cni-net.disc --log-level=debug
>> ...
>> INFO[0000] Running conmon under slice
>>
machine-libpod_pod_6ef5202d6954f3616a530f188954465e27ff4730dfad32b68d9467c26e789d18.slice
>> and unitName
>>
libpod-conmon-7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97.scope
>>
>> DEBU[0000] Received: 310116
>> INFO[0000] Got Conmon PID as 310113
>> DEBU[0000] Created container
>> 7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97 in
>> OCI runtime
>> DEBU[0000] Starting container
>> 7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97
>> with command [/bin/bash]
>> DEBU[0000] Started container
>> 7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97
>> 7b001c9305379c7279791e9addf01a716188b42c2c7d52b54deea0ca7461be97
>> DEBU[0000] Called restart.PersistentPostRunE(podman container
>> restart cni-net.discourse --log-level=debug)
>>
>> does not reveal much as you can see.
>> I can:
>> -> $ podman exec -it cni-net.disc sh
>> and shell is availble.
>>
>> How to troubleshoot issues like this?
>> many thanks, L.
>> _______________________________________________
>> Podman mailing list -- podman(a)lists.podman.io
>> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
> I would first attempt it --privileged and see if it works. If it
> does, then we got to find out what security mechanism is blocking it.
>
'--privileged' gets me back to what I inquired about and filed
bugzilla earlier - CAP_PERFMON
I wonder, is a 'proper' fix moving to appear on the horizon?
If --privileged works, now I would try each of the following separately.
--security-opt label=disable
--security-opt seccomp=unconfined
--cap-add all
Which would tell you that SELinux is blocking it, Seccomp, or capabilities.
If it is capabilities, then we can start playing with which capability
is needed.
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io