flake: ubuntu 2010: systemd: Failed to create ... control group, EPERM

[edsantiago]

Starting to see this flake often on ubuntu:

$ podman run ... -t -i -d registry.access.redhat.com/ubi8-init /sbin/init
systemd 239 (239-41.el8_3.2) running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux 8.3 (Ootpa)

Set hostname to <7ee143227d95>.
Initializing machine ID from random generator.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to install release agent, ignoring: Permission denied
Failed to create /user.slice/user-27341.slice/session-3.scope/init.scope control group: Permission denied
Failed to allocate manager object: Permission denied
!!!!!!
Failed to allocate manager object, freezing.
Freezing execution.

Podman systemd [It] podman run container with systemd PID1

• ubuntu-2010 : int podman ubuntu-2010 rootless host
  • PR Fix formatting and indentation in network http api docs #10369
    • 05-17 17:26
    • 05-17 17:26
    • 05-17 17:26
  • PR Several shell completion fixes #10328
    • 05-17 10:40
    • 05-17 10:40
    • 05-17 10:40
  • PR Add host.serviceIsRemote to podman info results #10300
    • 05-10 18:01
    • 05-10 18:01
    • 05-10 18:01
  • PR Remove obsolete skips #10291
    • 05-10 10:29
    • 05-10 10:29
    • 05-10 10:29
  • PR Update nix pin with make nixpkgs #10239
    • 05-11 22:06
    • 05-11 22:06
    • 05-11 22:06

[rhatdan]

Well it is not SELinux, is there anyway we could check the audit.log to see if there is any seccomp failures?

[edsantiago]

OMG yes there is! Thanks to the foresight of @cevich, audit.log is preserved! For any of the above logs, go to the top, click the Task link, scroll to the bottom, and expand the audit accordion. Example. (I have no idea what to look for, though)

[rhatdan]

No seccomp failures, that I see.

[rhatdan]

This looks like ubuntu occasionally has a cgroup file system that is not allowed to be written from within the container.
@giuseppe Any thoughts?

[giuseppe]

cgroup v1 for systemd doesn't need to be writeable, just /sys/fs/cgroup/systemd.

Are the rootless tests running from a systemd-run --scope --user environment?

[edsantiago]

I don't know what that means. They are running as a user with the magic loginctl enabled, via ansible become_user.

[edsantiago]

Oops - correction, these are failing in CI, not gating tests. I don't know what the setup is for rootless (wrt loginctl) but AFAICT those are run via ssh user@localhost. The interesting thing is that this is e2e tests, not system tests. e2e tests do automatic triple-retries, and in all the cases above, all three fail. That is: once a host gets into a mode where this test fails, it will always fail. A CI retry (which spins up a new VM) then succeeds.

[cevich]

Weird.

AFAICT those are run via ssh user@localhost

Correct.

e2e tests do automatic triple-retries

Additionally: The tests run in a randomized order. The "seed" for the order is displayed at the beginning. It's possible to run the tests with a specified seed, to guarantee the order. It might be useful to nail-down whether or not this failure is influenced by another test munging the system, or is the failure ever reproducible when running just this one test in isolation (on a fresh VM)

[edsantiago]

Podman systemd [It] podman run container with systemd PID1

• ubuntu-2010 : int podman ubuntu-2010 rootless host
  • PR generate systemd: make mounts portable #10506
    • 05-31 06:23
    • 05-31 06:23
    • 05-31 06:23
  • PR Add options to podman machine ssh #10485
    • 05-27 11:01
    • 05-27 11:01
    • 05-27 11:01
  • PR Fix formatting and indentation in network http api docs #10369
    • 05-17 17:26
    • 05-17 17:26
    • 05-17 17:26
  • PR Several shell completion fixes #10328
    • 05-17 10:40
    • 05-17 10:40
    • 05-17 10:40

[edsantiago]

Podman systemd [It] podman run container with systemd PID1

• ubuntu-2010 : int podman ubuntu-2010 rootless host
  • PR [v3.2] System tests: add :Z to volume mounts #10532
    • 06-02 09:05
    • 06-02 09:05
    • 06-02 09:05
  • PR [v3.2] generate systemd: make mounts portable #10509
    • 05-31 09:46
    • 05-31 09:46
    • 05-31 09:46

[rhatdan]

Could this be AppArmor causing this? Has anyone looked at the audit.log to see if apparmor is complaining about something?

[edsantiago]

For any log link above: click the link, Press Home key to go to the top of the log, click the Task link at top. That takes you to the Cirrus page for the failed run. I don't see an AppArmor log anywhere, but there's a Run journal tab that includes things like "PID", "scope", "control group", and EPERM.

[cevich]

IIRC, there is no audit.log on Ubuntu, AppArmor messages are logged into kern.log which is captured under the 'audit' tab. The journal tab also may have clues as Ed explained.

[edsantiago]

Podman systemd [It] podman run container with systemd PID1

• ubuntu-2010 : int podman ubuntu-2010 rootless host
  • PR Fix restoring of privileged containers #10635
    • 06-10 07:07
    • 06-10 07:07
    • 06-10 07:07
  • PR Bump github.com/containers/storage from 1.32.1 to 1.32.2 #10628
    • 06-10 03:18
    • 06-10 03:18
    • 06-10 03:18
  • PR Correct qemu options for Intel macs #10605
    • 06-08 15:33
    • 06-08 15:33
    • 06-08 15:33

[cevich]

In case it matters: New VM images for Ubuntu were just merged in for use by PR #10451 . This includes (among other things) and updated runc v1.0-rc95.

[edsantiago]

Podman systemd [It] podman run container with systemd PID1

• ubuntu-2010 : int podman ubuntu-2010 rootless host
  • PR Bump github.com/containers/ocicrypt from 1.1.1 to 1.1.2 #10811
    • 06-29 09:13
    • 06-29 09:13
    • 06-29 09:13
  • PR Makefile: remove install.cni #10803
    • 06-28 16:13
    • 06-28 16:13
    • 06-28 16:13
  • PR Podman Stats additional features #10696
    • 06-23 10:13
    • 06-23 10:13
    • 06-23 10:13
  • PR Support log_tag defaults from containers.conf #10583
    • 06-23 13:39
    • 06-23 13:39
    • 06-23 13:39
• ubuntu-2104 : int podman ubuntu-2104 rootless host
  • PR markdown/*: typos 'a image' #10759
    • 06-23 08:00
    • 06-23 08:00
    • 06-23 08:00

[edsantiago]

Another one

[cevich]

FWIW, I'm working my way through numerous issues blocking adoption of refreshed VM images in #10829. Not sure if they will have any impact on this issue or not, but I'll keep my eyes out.

[edsantiago]

Some more:

• ubuntu-2010 : int podman ubuntu-2010 rootless host
  • PR Drop support for the --storage-opt container flag #10999
    • 07-20 17:25
    • 07-20 17:25
    • 07-20 17:25
  • PR e2e tests: use Should(Exit()) and ExitWithError() #10932
    • 07-15 07:51
    • 07-15 07:51
    • 07-15 07:51
  • PR Restore headers of optional information in 'podman pod ps' #10896
    • 07-09 18:56
    • 07-09 18:56
    • 07-09 18:56
  • PR podman diff accept two images or containers #10836
    • 07-02 11:58
    • 07-02 11:58
    • 07-02 11:58

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[edsantiago]

The past month:

Podman systemd [It] podman run container with systemd PID1

• ubuntu-2010 : int podman ubuntu-2010 rootless host
  • PR Globally replace http:// with https:// #11333
    • 08-27 07:03
    • 08-27 07:03
    • 08-27 07:03
  • PR Added autocompletion for images and system connections for podman image SCP #11153
    • 08-09 10:06
    • 08-09 10:06
    • 08-09 10:06
  • PR [v3.3] Disable aarch64 support #11120
    • 08-03 15:31
    • 08-03 15:31
    • 08-03 15:31
  • PR Fix handling of user specified container labels #11101
    • 08-02 17:57
    • 08-02 17:57
    • 08-02 17:57
  • PR Cirrus: CI Support for v3.3 Branch #11097
    • 08-02 15:52
    • 08-02 15:52
    • 08-02 15:52
  • PR Bump github.com/containers/image/v5 from 5.14.0 to 5.15.0 #11082
    • 08-01 08:18
    • 08-01 08:18
    • 08-01 08:18
  • PR rootless: avoid zombie process on first launch #11073
    • 07-29 05:55
    • 07-29 05:55
    • 07-29 05:55
  • PR Add prune until filter test for podman volume cli #10861
    • 07-26 17:27
    • 07-26 17:27
    • 07-26 17:27

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

Did the conmon attach fix this Issue?

[edsantiago]

Last seen September 10. Last change to IMAGE_SUFFIX in .cirrus.yml was committed on September 14. I don't know if it includes the new conmon or not... but I'm comfortable closing this with fingers crossed.

Podman systemd [It] podman run container with systemd PID1

• ubuntu-2010 : int podman ubuntu-2010 rootless host
  • PR try to create the runroot before we warn that it is not writable #11523
    • 09-10 08:16
    • 09-10 08:16
    • 09-10 08:16
  • PR Fix conmon attach socket buffer size #11503
    • 09-09 12:45
    • 09-09 12:45
    • 09-09 12:45
  • PR Qemu TCG Accel fallback for Apple Silicon. Iss #10577 #11451
    • 09-05 13:16
    • 09-05 13:16
    • 09-05 13:16