Skip to content

Unable to run podman container on CentOS Stream 9 #258

New issue
New issue
Open
Open
Unable to run podman container on CentOS Stream 9#258
@mohd-akram

Description

@mohd-akram
mohd-akram
opened on Dec 6, 2022

On a newly-created Vagrant instance of CentOS Stream 9, I run:

sudo dnf install podman
sudo podman run -it --rm --log-level=debug docker.io/bitnami/mongodb:6.0

You can see it crashes immediately. In /var/log/audit.log, there is:

type=AVC msg=audit(1670323793.223:651): avc:  denied  { read write } for  pid=5215 comm="entrypoint.sh" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:con
tainer_t:s0:c353,c573 tcontext=system_u:object_r:container_file_t:s0:c353,c573 tclass=chr_file permissive=0

type=SYSCALL msg=audit(1670323793.223:651): arch=c000003e syscall=59 success=yes exit=0 a0=564baa4c7200 a1=564baa4dfef0 a2=564baa4d22f0 a3=0 items=0 ppid=5213 pid=5215 aui
d=1000 uid=1001 gid=0 euid=1001 suid=1001 fsuid=1001 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="entrypoint.sh" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c353
,c573 key=(null)^]ARCH=x86_64 SYSCALL=execve AUID="vagrant" UID="unknown(1001)" GID="root" EUID="unknown(1001)" SUID="unknown(1001)" FSUID="unknown(1001)" EGID="root" SGID
="root" FSGID="root"

type=EXECVE msg=audit(1670323793.223:651): argc=3 a0="/bin/bash" a1="/opt/bitnami/scripts/mongodb/entrypoint.sh" a2="/opt/bitnami/scripts/mongodb/run.sh"
type=PROCTITLE msg=audit(1670323793.223:651): proctitle=2F62696E2F62617368002F6F70742F6269746E616D692F736372697074732F6D6F6E676F64622F656E747279706F696E742E7368002F6F70742
F6269746E616D692F736372697074732F6D6F6E676F64622F72756E2E7368

type=AVC msg=audit(1670323793.225:652): avc:  denied  { read } for  pid=5215 comm="entrypoint.sh" path="/lib/x86_64-linux-gnu/libc-2.31.so" dev="dm-0" ino=259479 scontext=
system_u:system_r:container_t:s0:c353,c573 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1670323793.225:652): arch=c000003e syscall=10 success=no exit=-13 a0=7fe3fa5aa000 a1=4000 a2=1 a3=468 items=0 ppid=5213 pid=5215 auid=1000 uid=1001 
gid=0 euid=1001 suid=1001 fsuid=1001 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="entrypoint.sh" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c353,c573 key=(null)
ARCH=x86_64 SYSCALL=mprotect AUID="vagrant" UID="unknown(1001)" GID="root" EUID="unknown(1001)" SUID="unknown(1001)" FSUID="unknown(1001)" EGID="root" SGID="root" FSGID=
"root"

This issue does not happen with images provided by the CentOS project. They don't provide a catalog file, but here is one:

{
  "description": "",
  "short_description": "",
  "name": "centos/stream9",
  "versions": [
    {
      "version": "20221129.1",
      "status": "active",
      "description_html": null,
      "description_markdown": "",
      "providers": [
        {
          "name": "virtualbox",
          "url": "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-Vagrant-9-20221129.1.x86_64.vagrant-virtualbox.box",
          "checksum": "e99b1d287df3d1d222881657059484d77e4ef940ae46dfc5af6f5d6c0f13e597",
          "checksum_type": "sha256"
        },
        {
          "name": "libvirt",
          "url": "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-Vagrant-9-20221129.1.x86_64.vagrant-libvirt.box",
          "checksum": "c46aa730c5ae97ce8fc2ea011685f6f73e79693b45d2a9e120fa924b1107e6a2",
          "checksum_type": "sha256"
        }
      ]
    }
  ]
}

and in the Vagrantfile:

Vagrant.configure("2") do |config|
  config.vm.box = "centos/stream9"
  config.vm.box_url = "./stream9.json"
end

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions