On 1/19/21 12:26, Scott McCarty wrote:
Jan,
     Try the sebool described here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/index#starting_containers_with_systemd

Best Regards
Scott M

On Tue, Jan 19, 2021 at 9:40 AM Jan Hutař <jhutar@redhat.com> wrote:
Hello!

I have issue with running "ubi7-init" based container. When I base mine
container on "fedora", it works fine:

     $ cat Containerfile
     FROM fedora
     RUN dnf -y install httpd; dnf clean all; systemctl enable httpd
     EXPOSE 80
     CMD [ "/sbin/init" ]

and then:

     $ sudo podman build -f Containerfile
     $ sudo podman run -ti -p 80:80 20185593d0f96c4dee56e351eae4754cdd429679c1b645dae1b6f24880ce33fc
     systemd v246.6-3.fc33 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified)
     [...]
     [  OK  ] Started The Apache HTTP Server.
     [...]

But when I try the same with ubi7-init based container (or rhel7-init):

     $ cat Containerfile
     FROM registry.access.redhat.com/ubi7/ubi-init
     RUN echo -e "[repo1]\nname=repo1\nbaseurl=http://repos.example.com/RHEL-7/7.9/Server/x86_64/os/\ngpgcheck=0\nenabled=1" >/etc/yum.repos.d/repo1.repo; yum -y install httpd; yum clean all; systemctl enable httpd
     EXPOSE 80
     CMD [ "/sbin/init" ]

it fails:

     $ sudo podman run -ti -p 80:80 d872b16b8d0f9718c60420e3569cb4d5ddd16053fb72903e70d7b62ba3f34964
     Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
     [!!!!!!] Failed to mount API filesystems, freezing.

And same with privileged:

     $ sudo podman run -ti -p 80:80 --privileged=true d872b16b8d0f9718c60420e3569cb4d5ddd16053fb72903e70d7b62ba3f34964
     Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
     [!!!!!!] Failed to mount API filesystems, freezing.

I have these versions:

     $ rpm -q fedora-release-common podman
     fedora-release-common-33-3.noarch
     podman-2.2.1-1.fc33.x86_64
     $ sudo podman version
     Version:      2.2.1
     API Version:  2.1.0
     Go Version:   go1.15.5
     Built:        Tue Dec  8 15:37:50 2020
     OS/Arch:      linux/amd64

Please, any idea on what I'm doing wrong?

Thank you in advance and happy new year!

Regards,
Jan



--
Jan Hutar   Performance Engineering
jhutar@redhat.com     Red Hat, Inc.
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io


-- 
--
The Delicate Art of Product Management with Open Source: http://crunchtools.com/open-source-in-business-2020/
--

Scott McCarty
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty@redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io

BTW do you see any AVC messages in /var/log/audit/audit.log?