podman-3.2.1 in container: cannot clone: Operation not permitted Error: cannot re-exec process

[lmgray]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Following was working prior to release of podman 3.2.1 (i.e. worked until last week under podman 3.1.2)

Trying to build a centos-8-based container with podman and skopeo installed in a docker-in-docker (Jenkins agent running in kubernetes) environment... The larger context is Jenkins build of Jenkins jnlp agent with podman, docker, compilers, build tools etc, we use in our CICD pipelines to build containers, but the problem is reproducible with a small dockerfile running locally in docker (see below).

Seems similar to #10692 where the fix was to use podman instead of docker -- that's not an option for us at this time -- podman isn't mature enough to support the wide variety of container builds we support in our CICD pipelines. We've tried, but it's currently far from a drop-in replacement from docker -- we're trying! :-)

Steps to reproduce the issue:

1. create Dockerfile to build a centos 8 container with latest podman

FROM centos:8

USER root

RUN dnf -y module disable container-tools \
    && dnf -y install 'dnf-command(copr)' \
    && dnf -y copr enable rhcontainerbot/container-selinux \
    && curl -sSL -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo

RUN dnf -y install podman skopeo

#RUN podman --storage-driver=vfs version

RUN podman --storage-driver=vfs info --debug

2. docker build -t test .

Describe the results you received:

Full output of the docker build is included below, but the error in question is:

Step 5/5 : RUN podman --storage-driver=vfs info
 ---> Running in dc4ea7a56855
cannot clone: Operation not permitted
Error: cannot re-exec process

Describe the results you expected:

expected typical podman info output

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Step 5/6 : RUN podman --storage-driver=vfs version
 ---> Running in 90096abfcf93
cannot clone: Operation not permitted
Error: cannot re-exec process

Output of podman info --debug:

Step 5/5 : RUN podman --storage-driver=vfs info --debug
 ---> Running in e3f5463e8f14
cannot clone: Operation not permitted
Error: cannot re-exec process

Package info (e.g. output of rpm -q podman or apt list podman):

  podman-3.2.1-1.el8.4.1.x86_64
  podman-plugins-3.2.1-1.el8.4.1.x86_64
  skopeo-2:1.3.0-1.el8.1.1.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

can be reproduced locally with docker build running in a centos-8 based docker container (docker-in-docker):

(base) [jenkins@100533c486d2 ~]$ docker build -t test .
Sending build context to Docker daemon  324.6MB
Step 1/5 : FROM centos:8
8: Pulling from library/centos
7a0437f04f83: Pull complete
Digest: sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1
Status: Downloaded newer image for centos:8
 ---> 300e315adb2f
Step 2/5 : USER root
 ---> Running in 4fb8aa267174
Removing intermediate container 4fb8aa267174
 ---> 13c2987e0a87
Step 3/5 : RUN dnf -y module disable container-tools     && dnf -y install 'dnf-command(copr)'     && dnf -y copr enable rhcontainerbot/container-selinux     && curl -sSL -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo
 ---> Running in 271b9fde57ef
CentOS Linux 8 - AppStream                      407 kB/s | 7.5 MB     00:18
CentOS Linux 8 - BaseOS                         622 kB/s | 2.6 MB     00:04
CentOS Linux 8 - Extras                          24 kB/s | 9.6 kB     00:00
Dependencies resolved.
================================================================================
 Package           Architecture     Version             Repository         Size
================================================================================
Disabling modules:
 container-tools

Transaction Summary
================================================================================

Complete!
Last metadata expiration check: 0:00:01 ago on Mon Jun 28 16:26:34 2021.
Dependencies resolved.
================================================================================
 Package                       Arch        Version            Repository   Size
================================================================================
Installing:
 dnf-plugins-core              noarch      4.0.18-4.el8       baseos       69 k
Installing dependencies:
 dbus-glib                     x86_64      0.110-2.el8        baseos      127 k
 python3-dateutil              noarch      1:2.6.1-6.el8      baseos      251 k
 python3-dbus                  x86_64      1.2.4-15.el8       baseos      134 k
 python3-dnf-plugins-core      noarch      4.0.18-4.el8       baseos      234 k
 python3-six                   noarch      1.11.0-8.el8       baseos       38 k

Transaction Summary
================================================================================
Install  6 Packages

Total download size: 854 k
Installed size: 2.3 M
Downloading Packages:
(1/6): dnf-plugins-core-4.0.18-4.el8.noarch.rpm 170 kB/s |  69 kB     00:00
(2/6): dbus-glib-0.110-2.el8.x86_64.rpm         272 kB/s | 127 kB     00:00
(3/6): python3-dateutil-2.6.1-6.el8.noarch.rpm  441 kB/s | 251 kB     00:00
(4/6): python3-dbus-1.2.4-15.el8.x86_64.rpm     614 kB/s | 134 kB     00:00
(5/6): python3-dnf-plugins-core-4.0.18-4.el8.no 1.2 MB/s | 234 kB     00:00
(6/6): python3-six-1.11.0-8.el8.noarch.rpm      394 kB/s |  38 kB     00:00
--------------------------------------------------------------------------------
Total                                           961 kB/s | 854 kB     00:00
warning: /var/cache/dnf/baseos-f6a80ba95cf937f2/packages/dbus-glib-0.110-2.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
CentOS Linux 8 - BaseOS                         1.6 MB/s | 1.6 kB     00:00
Importing GPG key 0x8483C65D:
 Userid     : "CentOS (CentOS Official Signing Key) <security@centos.org>"
 Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Installing       : python3-six-1.11.0-8.el8.noarch                        1/6
  Installing       : python3-dateutil-1:2.6.1-6.el8.noarch                  2/6
  Installing       : dbus-glib-0.110-2.el8.x86_64                           3/6
  Running scriptlet: dbus-glib-0.110-2.el8.x86_64                           3/6
  Installing       : python3-dbus-1.2.4-15.el8.x86_64                       4/6
  Installing       : python3-dnf-plugins-core-4.0.18-4.el8.noarch           5/6
  Installing       : dnf-plugins-core-4.0.18-4.el8.noarch                   6/6
  Running scriptlet: dnf-plugins-core-4.0.18-4.el8.noarch                   6/6
  Verifying        : dbus-glib-0.110-2.el8.x86_64                           1/6
  Verifying        : dnf-plugins-core-4.0.18-4.el8.noarch                   2/6
  Verifying        : python3-dateutil-1:2.6.1-6.el8.noarch                  3/6
  Verifying        : python3-dbus-1.2.4-15.el8.x86_64                       4/6
  Verifying        : python3-dnf-plugins-core-4.0.18-4.el8.noarch           5/6
  Verifying        : python3-six-1.11.0-8.el8.noarch                        6/6

Installed:
  dbus-glib-0.110-2.el8.x86_64
  dnf-plugins-core-4.0.18-4.el8.noarch
  python3-dateutil-1:2.6.1-6.el8.noarch
  python3-dbus-1.2.4-15.el8.x86_64
  python3-dnf-plugins-core-4.0.18-4.el8.noarch
  python3-six-1.11.0-8.el8.noarch

Complete!
Repository successfully enabled.
Enabling a Copr repository. Please note that this repository is not part
of the main distribution, and quality may vary.

The Fedora Project does not exercise any power over the contents of
this repository beyond the rules outlined in the Copr FAQ at
<https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-build-in-copr>,
and packages are not held to any quality or security level.

Please do not file bug reports about these packages in Fedora
Bugzilla. In case of problems, contact the owner of this repository.
Removing intermediate container 271b9fde57ef
 ---> b87b175466e8
Step 4/5 : RUN dnf -y install podman skopeo
 ---> Running in 33f12077193f
Copr repo for container-selinux owned by rhcont 3.6 kB/s | 1.4 kB     00:00
Stable Releases of Upstream github.com/containe  50 kB/s |  66 kB     00:01
Dependencies resolved.
====================================================================================================
 Package                       Arch    Version               Repository                         Size
====================================================================================================
Installing:
 podman                        x86_64  3.2.1-1.el8.4.1       devel_kubic_libcontainers_stable   13 M
 skopeo                        x86_64  2:1.3.0-1.el8.1.1     devel_kubic_libcontainers_stable  7.2 M
Upgrading:
 iptables-libs                 x86_64  1.8.4-17.el8          baseos                            107 k
Installing dependencies:
 conmon                        x86_64  2:2.0.29-1.el8.3.4    devel_kubic_libcontainers_stable   50 k
 containernetworking-plugins   x86_64  1.0.0-0.2.rc1.el8.6.1 devel_kubic_libcontainers_stable   21 M
 containers-common             noarch  4:1-17.el8.17.3       devel_kubic_libcontainers_stable   60 k
 crun                          x86_64  0.20.1-1.el8.3.1      devel_kubic_libcontainers_stable  194 k
 dnsmasq                       x86_64  2.79-15.el8           appstream                         318 k
 fuse-common                   x86_64  3.2.1-12.el8          baseos                             21 k
 fuse3                         x86_64  3.2.1-12.el8          baseos                             50 k
 fuse3-libs                    x86_64  3.2.1-12.el8          baseos                             94 k
 iptables                      x86_64  1.8.4-17.el8          baseos                            586 k
 jansson                       x86_64  2.11-3.el8            baseos                             46 k
 libnetfilter_conntrack        x86_64  1.0.6-5.el8           baseos                             65 k
 libnfnetlink                  x86_64  1.0.1-13.el8          baseos                             33 k
 libnftnl                      x86_64  1.1.5-4.el8           baseos                             83 k
 libslirp                      x86_64  4.3.1-4.el8.4.7       devel_kubic_libcontainers_stable   73 k
 nftables                      x86_64  1:0.9.3-18.el8        baseos                            313 k
 yajl                          x86_64  2.1.0-10.el8          appstream                          41 k
Installing weak dependencies:
 catatonit                     x86_64  0.1.5-6.el8.3.7       devel_kubic_libcontainers_stable  290 k
 fuse-overlayfs                x86_64  1.5.0-1.el8.1.4       devel_kubic_libcontainers_stable   73 k
 podman-plugins                x86_64  3.2.1-1.el8.4.1       devel_kubic_libcontainers_stable  3.4 M
 slirp4netns                   x86_64  1.1.8-4.el8.7.8       devel_kubic_libcontainers_stable   55 k

Transaction Summary
====================================================================================================
Install  22 Packages
Upgrade   1 Package

Total download size: 47 M
Downloading Packages:
(1/23): yajl-2.1.0-10.el8.x86_64.rpm            114 kB/s |  41 kB     00:00
(2/23): dnsmasq-2.79-15.el8.x86_64.rpm          575 kB/s | 318 kB     00:00
(3/23): fuse-common-3.2.1-12.el8.x86_64.rpm      28 kB/s |  21 kB     00:00
(4/23): fuse3-3.2.1-12.el8.x86_64.rpm            53 kB/s |  50 kB     00:00
(5/23): jansson-2.11-3.el8.x86_64.rpm           175 kB/s |  46 kB     00:00
(6/23): fuse3-libs-3.2.1-12.el8.x86_64.rpm       78 kB/s |  94 kB     00:01
(7/23): libnetfilter_conntrack-1.0.6-5.el8.x86_ 238 kB/s |  65 kB     00:00
(8/23): libnfnetlink-1.0.1-13.el8.x86_64.rpm    125 kB/s |  33 kB     00:00
(9/23): libnftnl-1.1.5-4.el8.x86_64.rpm         302 kB/s |  83 kB     00:00
(10/23): iptables-1.8.4-17.el8.x86_64.rpm       335 kB/s | 586 kB     00:01
(11/23): nftables-0.9.3-18.el8.x86_64.rpm       438 kB/s | 313 kB     00:00
(12/23): catatonit-0.1.5-6.el8.3.7.x86_64.rpm   257 kB/s | 290 kB     00:01
(13/23): conmon-2.0.29-1.el8.3.4.x86_64.rpm      51 kB/s |  50 kB     00:00
(14/23): containers-common-1-17.el8.17.3.noarch 205 kB/s |  60 kB     00:00
(15/23): crun-0.20.1-1.el8.3.1.x86_64.rpm       522 kB/s | 194 kB     00:00
(16/23): fuse-overlayfs-1.5.0-1.el8.1.4.x86_64. 161 kB/s |  73 kB     00:00
(17/23): libslirp-4.3.1-4.el8.4.7.x86_64.rpm    254 kB/s |  73 kB     00:00
(18/23): containernetworking-plugins-1.0.0-0.2.  11 MB/s |  21 MB     00:01
(19/23): podman-plugins-3.2.1-1.el8.4.1.x86_64. 4.2 MB/s | 3.4 MB     00:00
(20/23): podman-3.2.1-1.el8.4.1.x86_64.rpm       12 MB/s |  13 MB     00:01
(21/23): slirp4netns-1.1.8-4.el8.7.8.x86_64.rpm 191 kB/s |  55 kB     00:00
(22/23): skopeo-1.3.0-1.el8.1.1.x86_64.rpm      9.8 MB/s | 7.2 MB     00:00
(23/23): iptables-libs-1.8.4-17.el8.x86_64.rpm  105 kB/s | 107 kB     00:01
--------------------------------------------------------------------------------
Total                                           7.3 MB/s |  47 MB     00:06
warning: /var/cache/dnf/devel_kubic_libcontainers_stable-37b272243bc11f7c/packages/catatonit-0.1.5-6.el8.3.7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 75060aa4: NOKEY
Stable Releases of Upstream github.com/containe 3.0 kB/s | 1.1 kB     00:00
Importing GPG key 0x75060AA4:
 Userid     : "devel:kubic OBS Project <devel:kubic@build.opensuse.org>"
 Fingerprint: 2472 D6D0 D2F6 6AF8 7ABA 8DA3 4D64 3903 7506 0AA4
 From       : https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/repodata/repomd.xml.key
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Upgrading        : iptables-libs-1.8.4-17.el8.x86_64                     1/24
  Installing       : libnftnl-1.1.5-4.el8.x86_64                           2/24
  Running scriptlet: libnftnl-1.1.5-4.el8.x86_64                           2/24
  Installing       : libnfnetlink-1.0.1-13.el8.x86_64                      3/24
  Running scriptlet: libnfnetlink-1.0.1-13.el8.x86_64                      3/24
  Installing       : libnetfilter_conntrack-1.0.6-5.el8.x86_64             4/24
  Running scriptlet: libnetfilter_conntrack-1.0.6-5.el8.x86_64             4/24
  Running scriptlet: iptables-1.8.4-17.el8.x86_64                          5/24
  Installing       : iptables-1.8.4-17.el8.x86_64                          5/24
  Running scriptlet: iptables-1.8.4-17.el8.x86_64                          5/24
  Installing       : libslirp-4.3.1-4.el8.4.7.x86_64                       6/24
  Installing       : slirp4netns-1.1.8-4.el8.7.8.x86_64                    7/24
  Installing       : containernetworking-plugins-1.0.0-0.2.rc1.el8.6.1.    8/24
  Installing       : conmon-2:2.0.29-1.el8.3.4.x86_64                      9/24
  Installing       : catatonit-0.1.5-6.el8.3.7.x86_64                     10/24
  Installing       : jansson-2.11-3.el8.x86_64                            11/24
  Installing       : nftables-1:0.9.3-18.el8.x86_64                       12/24
  Running scriptlet: nftables-1:0.9.3-18.el8.x86_64                       12/24
  Installing       : fuse3-libs-3.2.1-12.el8.x86_64                       13/24
  Running scriptlet: fuse3-libs-3.2.1-12.el8.x86_64                       13/24
  Installing       : fuse-common-3.2.1-12.el8.x86_64                      14/24
  Installing       : fuse3-3.2.1-12.el8.x86_64                            15/24
  Installing       : fuse-overlayfs-1.5.0-1.el8.1.4.x86_64                16/24
  Running scriptlet: fuse-overlayfs-1.5.0-1.el8.1.4.x86_64                16/24
  Installing       : yajl-2.1.0-10.el8.x86_64                             17/24
  Installing       : crun-0.20.1-1.el8.3.1.x86_64                         18/24
  Installing       : containers-common-4:1-17.el8.17.3.noarch             19/24
  Running scriptlet: dnsmasq-2.79-15.el8.x86_64                           20/24
  Installing       : dnsmasq-2.79-15.el8.x86_64                           20/24
  Running scriptlet: dnsmasq-2.79-15.el8.x86_64                           20/24
  Installing       : podman-3.2.1-1.el8.4.1.x86_64                        21/24
  Installing       : podman-plugins-3.2.1-1.el8.4.1.x86_64                22/24
  Installing       : skopeo-2:1.3.0-1.el8.1.1.x86_64                      23/24
  Cleanup          : iptables-libs-1.8.4-15.el8.x86_64                    24/24
  Running scriptlet: iptables-libs-1.8.4-15.el8.x86_64                    24/24
  Verifying        : dnsmasq-2.79-15.el8.x86_64                            1/24
  Verifying        : yajl-2.1.0-10.el8.x86_64                              2/24
  Verifying        : fuse-common-3.2.1-12.el8.x86_64                       3/24
  Verifying        : fuse3-3.2.1-12.el8.x86_64                             4/24
  Verifying        : fuse3-libs-3.2.1-12.el8.x86_64                        5/24
  Verifying        : iptables-1.8.4-17.el8.x86_64                          6/24
  Verifying        : jansson-2.11-3.el8.x86_64                             7/24
  Verifying        : libnetfilter_conntrack-1.0.6-5.el8.x86_64             8/24
  Verifying        : libnfnetlink-1.0.1-13.el8.x86_64                      9/24
  Verifying        : libnftnl-1.1.5-4.el8.x86_64                          10/24
  Verifying        : nftables-1:0.9.3-18.el8.x86_64                       11/24
  Verifying        : catatonit-0.1.5-6.el8.3.7.x86_64                     12/24
  Verifying        : conmon-2:2.0.29-1.el8.3.4.x86_64                     13/24
  Verifying        : containernetworking-plugins-1.0.0-0.2.rc1.el8.6.1.   14/24
  Verifying        : containers-common-4:1-17.el8.17.3.noarch             15/24
  Verifying        : crun-0.20.1-1.el8.3.1.x86_64                         16/24
  Verifying        : fuse-overlayfs-1.5.0-1.el8.1.4.x86_64                17/24
  Verifying        : libslirp-4.3.1-4.el8.4.7.x86_64                      18/24
  Verifying        : podman-3.2.1-1.el8.4.1.x86_64                        19/24
  Verifying        : podman-plugins-3.2.1-1.el8.4.1.x86_64                20/24
  Verifying        : skopeo-2:1.3.0-1.el8.1.1.x86_64                      21/24
  Verifying        : slirp4netns-1.1.8-4.el8.7.8.x86_64                   22/24
  Verifying        : iptables-libs-1.8.4-17.el8.x86_64                    23/24
  Verifying        : iptables-libs-1.8.4-15.el8.x86_64                    24/24

Upgraded:
  iptables-libs-1.8.4-17.el8.x86_64

Installed:
  catatonit-0.1.5-6.el8.3.7.x86_64
  conmon-2:2.0.29-1.el8.3.4.x86_64
  containernetworking-plugins-1.0.0-0.2.rc1.el8.6.1.x86_64
  containers-common-4:1-17.el8.17.3.noarch
  crun-0.20.1-1.el8.3.1.x86_64
  dnsmasq-2.79-15.el8.x86_64
  fuse-common-3.2.1-12.el8.x86_64
  fuse-overlayfs-1.5.0-1.el8.1.4.x86_64
  fuse3-3.2.1-12.el8.x86_64
  fuse3-libs-3.2.1-12.el8.x86_64
  iptables-1.8.4-17.el8.x86_64
  jansson-2.11-3.el8.x86_64
  libnetfilter_conntrack-1.0.6-5.el8.x86_64
  libnfnetlink-1.0.1-13.el8.x86_64
  libnftnl-1.1.5-4.el8.x86_64
  libslirp-4.3.1-4.el8.4.7.x86_64
  nftables-1:0.9.3-18.el8.x86_64
  podman-3.2.1-1.el8.4.1.x86_64
  podman-plugins-3.2.1-1.el8.4.1.x86_64
  skopeo-2:1.3.0-1.el8.1.1.x86_64
  slirp4netns-1.1.8-4.el8.7.8.x86_64
  yajl-2.1.0-10.el8.x86_64

Complete!
Removing intermediate container 33f12077193f
 ---> d3c0eaff56b3
Step 5/5 : RUN podman --storage-driver=vfs info --debug
 ---> Running in 976f61eebfea
cannot clone: Operation not permitted
Error: cannot re-exec process
The command '/bin/sh -c podman --storage-driver=vfs info --debug' returned a non-zero code: 125
(base) [jenkins@100533c486d2 ~]$

[mheon]

My first thought is Seccomp - the Docker container could be blocking some flags of clone that we require. I believe that docker build supports --security-opt seccomp=unconfined so that could be a good starting place.

@cevich PTAL - do you recall any of the debugging you did for the linked issue?

[rhatdan]

Yes or --security-opt seccomp=/usr/share/containers/seccomp.json
Podman requires the clone syscall.
If you are on an SELinux box, you also need to disable SELinux. for the container

--security-opt label=disabled

We are about to release a large blog on this, probably the week after the 4th.

[lmgray]

not using selinux -- unable to apply the options on the docker build ...

(base) [jenkins@063e97743a94 ~]$ getenforce
Disabled

(base) [jenkins@063e97743a94 ~]$ docker build -t test --security-opt seccomp=/usr/share/containers/seccomp.json .
Error response from daemon: The daemon on this platform does not support setting security options on build

(base) [jenkins@063e97743a94 ~]$ docker build -t test --security-opt seccomp=unconfined .
Error response from daemon: The daemon on this platform does not support setting security options on build

[cevich]

do you recall any of the debugging you did for the linked issue

Yes, my steps were:

1. Get more coffee
2. Try again and expect different results
3. Panic and ask for help

Basically...what Dan said. IIRC, you (@mheon) and I had an IRC chat in which you confirmed: We deliberately bypass lots of stuff for the version sub-command. Apparently we still need to clone though 😞 In this particular case (with docker), I'm afraid the answer might be building with --privileged (assuming that's even a thing). The only way I was able to get around the problem was to use podman (I understand that's not possible here) 😢

[cevich]

hmmmm...though...I do seem to remember playing around with running buildah builds inside a docker container. I seem to remember being able to pull it off by jamming upstream podman's seccomp-profile into docker. Lemmie see if I can find that work...

[cevich]

...ugh, I can't find it. Sorry 😞

[lmgray]

Prior to podman 3.2.1, we were able to build centos based docker containers which installed and ran podman to create our "podman docker base images" -- i.e. this all worked until last week, most recently with podman 3.1.2.  Am I mistaken that this is a podman 3.2.1 change/regression/defect?  Unfortunately, the kubic repos we use don't seem to have podman 3.1 anymore -- is there a different repo from which we can install podman 3.1.2 for centos as a temporary solution?

[mheon]

If you can retest with 3.1.x, it would be interesting. I don't know if I'd consider this a regression given that there should be a reasonable expectation that the clone syscall works?

An strace to get the exact failing syscall would also be helpful.

[lmgray]

Do you know where I can get podman 3.1.x packages for centos?  They seem to be gone from the kubic yum repo.

I can upload strace output if you like, but it's fairly huge. This is pretty easy to reproduce-- just run docker build -t test . with the following Dockerfile:

FROM centos:8

USER root

RUN dnf -y install strace

RUN dnf -y module disable container-tools \
    && dnf -y install 'dnf-command(copr)' \
    && dnf -y copr enable rhcontainerbot/container-selinux \
    && curl -sSL -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo

RUN dnf -y install podman

RUN strace podman --storage-driver=vfs info --debug

[lmgray]

By removing the kubic repo setup and using centos default podman packages, you can see this is successful using podman 3.0.1.

Dockerfile:

FROM centos:8

USER root

#RUN dnf -y install strace

#RUN dnf -y module disable container-tools \
#    && dnf -y install 'dnf-command(copr)' \
#    && dnf -y copr enable rhcontainerbot/container-selinux \
#    && curl -sSL -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo

RUN dnf -y install podman
RUN podman --storage-driver=vfs info --debug
#RUN strace podman --storage-driver=vfs info --debug

$ docker build -t test .
Sending build context to Docker daemon   2.56kB
Step 1/4 : FROM centos:8
8: Pulling from library/centos
7a0437f04f83: Pull complete
Digest: sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1
Status: Downloaded newer image for centos:8
 ---> 300e315adb2f
Step 2/4 : USER root
 ---> Running in 2ea27985d40e
Removing intermediate container 2ea27985d40e
 ---> d67bc4386822
Step 3/4 : RUN dnf -y install podman
 ---> Running in f4ba6ffb5e39
CentOS Linux 8 - AppStream                      1.0 MB/s | 7.5 MB     00:07
CentOS Linux 8 - BaseOS                         753 kB/s | 2.6 MB     00:03
CentOS Linux 8 - Extras                         9.4 kB/s | 9.6 kB     00:01
Dependencies resolved.
=================================================================================================
 Package                       Arch    Version                                   Repo        Size
=================================================================================================
Installing:
 podman                        x86_64  3.0.1-7.module_el8.4.0+830+8027e1c4       appstream   12 M
Upgrading:
 iptables-libs                 x86_64  1.8.4-17.el8                              baseos     107 k
Installing dependencies:
 conmon                        x86_64  2:2.0.26-3.module_el8.4.0+830+8027e1c4    appstream   52 k
 containernetworking-plugins   x86_64  0.9.1-1.module_el8.4.0+781+acf4c33b       appstream   20 M
 containers-common             x86_64  1:1.2.2-10.module_el8.4.0+830+8027e1c4    appstream   99 k
 criu                          x86_64  3.15-1.module_el8.4.0+641+6116a774        appstream  511 k
 crun                          x86_64  0.18-2.module_el8.4.0+830+8027e1c4        appstream  185 k
 fuse-common                   x86_64  3.2.1-12.el8                              baseos      21 k
 fuse-overlayfs                x86_64  1.4.0-3.module_el8.4.0+830+8027e1c4       appstream   72 k
 fuse3                         x86_64  3.2.1-12.el8                              baseos      50 k
 fuse3-libs                    x86_64  3.2.1-12.el8                              baseos      94 k
 iptables                      x86_64  1.8.4-17.el8                              baseos     586 k
 jansson                       x86_64  2.11-3.el8                                baseos      46 k
 libnet                        x86_64  1.1.6-15.el8                              appstream   67 k
 libnetfilter_conntrack        x86_64  1.0.6-5.el8                               baseos      65 k
 libnfnetlink                  x86_64  1.0.1-13.el8                              baseos      33 k
 libnftnl                      x86_64  1.1.5-4.el8                               baseos      83 k
 libnl3                        x86_64  3.5.0-1.el8                               baseos     320 k
 libslirp                      x86_64  4.3.1-1.module_el8.4.0+575+63b40ad7       appstream   69 k
 nftables                      x86_64  1:0.9.3-18.el8                            baseos     313 k
 podman-catatonit              x86_64  3.0.1-7.module_el8.4.0+830+8027e1c4       appstream  321 k
 protobuf-c                    x86_64  1.3.0-6.el8                               appstream   37 k
 runc                          x86_64  1.0.0-73.rc93.module_el8.4.0+830+8027e1c4 appstream  3.2 M
 slirp4netns                   x86_64  1.1.8-1.module_el8.4.0+641+6116a774       appstream   51 k
 yajl                          x86_64  2.1.0-10.el8                              appstream   41 k
Enabling module streams:
 container-tools                       rhel8

Transaction Summary
=================================================================================================
Install  24 Packages
Upgrade   1 Package

Total download size: 38 M
Downloading Packages:
(1/25): conmon-2.0.26-3.module_el8.4.0+830+8027  59 kB/s |  52 kB     00:00
(2/25): containers-common-1.2.2-10.module_el8.4  77 kB/s |  99 kB     00:01
(3/25): crun-0.18-2.module_el8.4.0+830+8027e1c4 408 kB/s | 185 kB     00:00
(4/25): fuse-overlayfs-1.4.0-3.module_el8.4.0+8 319 kB/s |  72 kB     00:00
(5/25): criu-3.15-1.module_el8.4.0+641+6116a774 459 kB/s | 511 kB     00:01
(6/25): libnet-1.1.6-15.el8.x86_64.rpm          295 kB/s |  67 kB     00:00
(7/25): libslirp-4.3.1-1.module_el8.4.0+575+63b 296 kB/s |  69 kB     00:00
(8/25): podman-catatonit-3.0.1-7.module_el8.4.0 691 kB/s | 321 kB     00:00
(9/25): protobuf-c-1.3.0-6.el8.x86_64.rpm       168 kB/s |  37 kB     00:00
(10/25): runc-1.0.0-73.rc93.module_el8.4.0+830+ 1.1 MB/s | 3.2 MB     00:02
(11/25): slirp4netns-1.1.8-1.module_el8.4.0+641 233 kB/s |  51 kB     00:00
(12/25): yajl-2.1.0-10.el8.x86_64.rpm           171 kB/s |  41 kB     00:00
(13/25): fuse-common-3.2.1-12.el8.x86_64.rpm    198 kB/s |  21 kB     00:00
(14/25): fuse3-3.2.1-12.el8.x86_64.rpm          438 kB/s |  50 kB     00:00
(15/25): fuse3-libs-3.2.1-12.el8.x86_64.rpm     492 kB/s |  94 kB     00:00
(16/25): iptables-1.8.4-17.el8.x86_64.rpm       879 kB/s | 586 kB     00:00
(17/25): jansson-2.11-3.el8.x86_64.rpm          560 kB/s |  46 kB     00:00
(18/25): libnetfilter_conntrack-1.0.6-5.el8.x86 722 kB/s |  65 kB     00:00
(19/25): libnfnetlink-1.0.1-13.el8.x86_64.rpm   693 kB/s |  33 kB     00:00
(20/25): libnftnl-1.1.5-4.el8.x86_64.rpm        896 kB/s |  83 kB     00:00
(21/25): libnl3-3.5.0-1.el8.x86_64.rpm          1.2 MB/s | 320 kB     00:00
(22/25): nftables-0.9.3-18.el8.x86_64.rpm       1.3 MB/s | 313 kB     00:00
(23/25): iptables-libs-1.8.4-17.el8.x86_64.rpm  1.0 MB/s | 107 kB     00:00
(24/25): podman-3.0.1-7.module_el8.4.0+830+8027 1.7 MB/s |  12 MB     00:06
(25/25): containernetworking-plugins-0.9.1-1.mo 2.0 MB/s |  20 MB     00:09
--------------------------------------------------------------------------------
Total                                           3.8 MB/s |  38 MB     00:10
warning: /var/cache/dnf/appstream-02e86d1c976ab532/packages/conmon-2.0.26-3.module_el8.4.0+830+8027e1c4.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
CentOS Linux 8 - AppStream                      1.6 MB/s | 1.6 kB     00:00
Importing GPG key 0x8483C65D:
 Userid     : "CentOS (CentOS Official Signing Key) <security@centos.org>"
 Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Upgrading        : iptables-libs-1.8.4-17.el8.x86_64                     1/26
  Installing       : libnftnl-1.1.5-4.el8.x86_64                           2/26
  Running scriptlet: libnftnl-1.1.5-4.el8.x86_64                           2/26
  Installing       : libnfnetlink-1.0.1-13.el8.x86_64                      3/26
  Running scriptlet: libnfnetlink-1.0.1-13.el8.x86_64                      3/26
  Installing       : libnetfilter_conntrack-1.0.6-5.el8.x86_64             4/26
  Running scriptlet: libnetfilter_conntrack-1.0.6-5.el8.x86_64             4/26
  Running scriptlet: iptables-1.8.4-17.el8.x86_64                          5/26
  Installing       : iptables-1.8.4-17.el8.x86_64                          5/26
  Running scriptlet: iptables-1.8.4-17.el8.x86_64                          5/26
  Installing       : libnl3-3.5.0-1.el8.x86_64                             6/26
  Running scriptlet: libnl3-3.5.0-1.el8.x86_64                             6/26
  Installing       : jansson-2.11-3.el8.x86_64                             7/26
  Installing       : nftables-1:0.9.3-18.el8.x86_64                        8/26
  Running scriptlet: nftables-1:0.9.3-18.el8.x86_64                        8/26
  Installing       : fuse3-libs-3.2.1-12.el8.x86_64                        9/26
  Running scriptlet: fuse3-libs-3.2.1-12.el8.x86_64                        9/26
  Installing       : fuse-common-3.2.1-12.el8.x86_64                      10/26
  Installing       : fuse3-3.2.1-12.el8.x86_64                            11/26
  Installing       : fuse-overlayfs-1.4.0-3.module_el8.4.0+830+8027e1c4   12/26
  Running scriptlet: fuse-overlayfs-1.4.0-3.module_el8.4.0+830+8027e1c4   12/26
  Installing       : yajl-2.1.0-10.el8.x86_64                             13/26
  Installing       : crun-0.18-2.module_el8.4.0+830+8027e1c4.x86_64       14/26
  Installing       : protobuf-c-1.3.0-6.el8.x86_64                        15/26
  Installing       : libslirp-4.3.1-1.module_el8.4.0+575+63b40ad7.x86_6   16/26
  Installing       : slirp4netns-1.1.8-1.module_el8.4.0+641+6116a774.x8   17/26
  Installing       : containers-common-1:1.2.2-10.module_el8.4.0+830+80   18/26
  Installing       : libnet-1.1.6-15.el8.x86_64                           19/26
  Running scriptlet: libnet-1.1.6-15.el8.x86_64                           19/26
  Installing       : criu-3.15-1.module_el8.4.0+641+6116a774.x86_64       20/26
  Installing       : runc-1.0.0-73.rc93.module_el8.4.0+830+8027e1c4.x86   21/26
  Installing       : containernetworking-plugins-0.9.1-1.module_el8.4.0   22/26
  Installing       : conmon-2:2.0.26-3.module_el8.4.0+830+8027e1c4.x86_   23/26
  Installing       : podman-catatonit-3.0.1-7.module_el8.4.0+830+8027e1   24/26
  Installing       : podman-3.0.1-7.module_el8.4.0+830+8027e1c4.x86_64    25/26
  Cleanup          : iptables-libs-1.8.4-15.el8.x86_64                    26/26
  Running scriptlet: iptables-libs-1.8.4-15.el8.x86_64                    26/26
  Verifying        : conmon-2:2.0.26-3.module_el8.4.0+830+8027e1c4.x86_    1/26
  Verifying        : containernetworking-plugins-0.9.1-1.module_el8.4.0    2/26
  Verifying        : containers-common-1:1.2.2-10.module_el8.4.0+830+80    3/26
  Verifying        : criu-3.15-1.module_el8.4.0+641+6116a774.x86_64        4/26
  Verifying        : crun-0.18-2.module_el8.4.0+830+8027e1c4.x86_64        5/26
  Verifying        : fuse-overlayfs-1.4.0-3.module_el8.4.0+830+8027e1c4    6/26
  Verifying        : libnet-1.1.6-15.el8.x86_64                            7/26
  Verifying        : libslirp-4.3.1-1.module_el8.4.0+575+63b40ad7.x86_6    8/26
  Verifying        : podman-3.0.1-7.module_el8.4.0+830+8027e1c4.x86_64     9/26
  Verifying        : podman-catatonit-3.0.1-7.module_el8.4.0+830+8027e1   10/26
  Verifying        : protobuf-c-1.3.0-6.el8.x86_64                        11/26
  Verifying        : runc-1.0.0-73.rc93.module_el8.4.0+830+8027e1c4.x86   12/26
  Verifying        : slirp4netns-1.1.8-1.module_el8.4.0+641+6116a774.x8   13/26
  Verifying        : yajl-2.1.0-10.el8.x86_64                             14/26
  Verifying        : fuse-common-3.2.1-12.el8.x86_64                      15/26
  Verifying        : fuse3-3.2.1-12.el8.x86_64                            16/26
  Verifying        : fuse3-libs-3.2.1-12.el8.x86_64                       17/26
  Verifying        : iptables-1.8.4-17.el8.x86_64                         18/26
  Verifying        : jansson-2.11-3.el8.x86_64                            19/26
  Verifying        : libnetfilter_conntrack-1.0.6-5.el8.x86_64            20/26
  Verifying        : libnfnetlink-1.0.1-13.el8.x86_64                     21/26
  Verifying        : libnftnl-1.1.5-4.el8.x86_64                          22/26
  Verifying        : libnl3-3.5.0-1.el8.x86_64                            23/26
  Verifying        : nftables-1:0.9.3-18.el8.x86_64                       24/26
  Verifying        : iptables-libs-1.8.4-17.el8.x86_64                    25/26
  Verifying        : iptables-libs-1.8.4-15.el8.x86_64                    26/26

Upgraded:
  iptables-libs-1.8.4-17.el8.x86_64

Installed:
  conmon-2:2.0.26-3.module_el8.4.0+830+8027e1c4.x86_64
  containernetworking-plugins-0.9.1-1.module_el8.4.0+781+acf4c33b.x86_64
  containers-common-1:1.2.2-10.module_el8.4.0+830+8027e1c4.x86_64
  criu-3.15-1.module_el8.4.0+641+6116a774.x86_64
  crun-0.18-2.module_el8.4.0+830+8027e1c4.x86_64
  fuse-common-3.2.1-12.el8.x86_64
  fuse-overlayfs-1.4.0-3.module_el8.4.0+830+8027e1c4.x86_64
  fuse3-3.2.1-12.el8.x86_64
  fuse3-libs-3.2.1-12.el8.x86_64
  iptables-1.8.4-17.el8.x86_64
  jansson-2.11-3.el8.x86_64
  libnet-1.1.6-15.el8.x86_64
  libnetfilter_conntrack-1.0.6-5.el8.x86_64
  libnfnetlink-1.0.1-13.el8.x86_64
  libnftnl-1.1.5-4.el8.x86_64
  libnl3-3.5.0-1.el8.x86_64
  libslirp-4.3.1-1.module_el8.4.0+575+63b40ad7.x86_64
  nftables-1:0.9.3-18.el8.x86_64
  podman-3.0.1-7.module_el8.4.0+830+8027e1c4.x86_64
  podman-catatonit-3.0.1-7.module_el8.4.0+830+8027e1c4.x86_64
  protobuf-c-1.3.0-6.el8.x86_64
  runc-1.0.0-73.rc93.module_el8.4.0+830+8027e1c4.x86_64
  slirp4netns-1.1.8-1.module_el8.4.0+641+6116a774.x86_64
  yajl-2.1.0-10.el8.x86_64

Complete!
Removing intermediate container f4ba6ffb5e39
 ---> fb283086e375
Step 4/4 : RUN podman --storage-driver=vfs info --debug
 ---> Running in 8100e99e976e
host:
  arch: amd64
  buildahVersion: 1.19.8
  cgroupManager: systemd
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.26-3.module_el8.4.0+830+8027e1c4.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.26, commit: 9dea73702793340168deaa5a0d21ca5ce1fcb5d7'
  cpus: 2
  distribution:
    distribution: '"centos"'
    version: "8"
  eventLogger: file
  hostname: 8100e99e976e
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.4.0-74-generic
  linkmode: dynamic
  memFree: 2298097664
  memTotal: 4127293440
  ociRuntime:
    name: runc
    package: runc-1.0.0-73.rc93.module_el8.4.0+830+8027e1c4.x86_64
    path: /usr/bin/runc
    version: |-
      runc version spec: 1.0.2-dev
      go: go1.15.7
      libseccomp: 2.4.3
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 21468762112
  swapTotal: 21474828288
  uptime: 485h 46m 13.4s (Approximately 20.21 days)
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus: {}
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 1623427124
  BuiltTime: Fri Jun 11 15:58:44 2021
  GitCommit: ""
  GoVersion: go1.15.7
  OsArch: linux/amd64
  Version: 3.0.2-dev

Removing intermediate container 8100e99e976e
 ---> 288bd56d4cd5
Successfully built 288bd56d4cd5
Successfully tagged test:latest

[lmgray]

I think something is more fundamentally broken @rhatdan 

No docker build is needed to see the problem with 3.2.1:

$ docker run -it quay.io/podman/stable:latest bash
[root@c43644117d3d /]# podman --storage-driver=vfs version
cannot clone: Operation not permitted
Error: cannot re-exec process
[root@c43644117d3d /]# podman --storage-driver=vfs info
cannot clone: Operation not permitted
Error: cannot re-exec process
[root@c43644117d3d /]# podman --storage-driver=vfs --version
podman version 3.2.1
[root@c43644117d3d /]#

But with 3.1.2 it was fine:

$ docker run -it quay.io/podman/stable:v3.1.2 bash
[root@e3baacc48a60 /]# podman --storage-driver=vfs version
Version:      3.1.2
API Version:  3.1.2
Go Version:   go1.15.8
Built:        Thu Apr 22 13:21:33 2021
OS/Arch:      linux/amd64
[root@e3baacc48a60 /]# podman --storage-driver=vfs info
host:
  arch: amd64
  buildahVersion: 1.20.1
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.27-2.fc33.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.27, commit: '
  cpus: 2
  distribution:
    distribution: fedora
    version: "33"
  eventLogger: file
  hostname: e3baacc48a60
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.4.0-74-generic
  linkmode: dynamic
  memFree: 1048702976
  memTotal: 4127293440
  ociRuntime:
    name: crun
    package: crun-0.19.1-2.fc33.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.19.1
      commit: 1535fedf0b83fb898d449f9680000f729ba719f5
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 21468762112
  swapTotal: 21474828288
  uptime: 487h 7m 14.59s (Approximately 20.29 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus: {}
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.1.2
  Built: 1619097693
  BuiltTime: Thu Apr 22 13:21:33 2021
  GitCommit: ""
  GoVersion: go1.15.8
  OsArch: linux/amd64
  Version: 3.1.2

[root@e3baacc48a60 /]# podman --storage-driver=vfs --version
podman version 3.1.2
[root@e3baacc48a60 /]# 

appears to be a 3.2.x issue:

$ docker run quay.io/podman/stable:v3.1.2 podman --storage-driver=vfs version
Version:      3.1.2
API Version:  3.1.2
Go Version:   go1.15.8
Built:        Thu Apr 22 13:21:33 2021
OS/Arch:      linux/amd64

$ docker run quay.io/podman/stable:v3.2.0 podman --storage-driver=vfs version
cannot clone: Operation not permitted
Error: cannot re-exec process

$ docker run quay.io/podman/stable:v3.2.1 podman --storage-driver=vfs version
cannot clone: Operation not permitted
Error: cannot re-exec process

[rhatdan]

Try

docker run --security-opt label=disable --security-opt seccomp=unconfined quay.io/podman/stable:v3.2.1 podman run --storage-driver=vfs -v /proc:/proc alpine echo hello

If you don't have SELinux no need for label=disable.

[lmgray]

tried both with and without label=disable to be sure -- errors on both:

$ docker run --security-opt seccomp=unconfined quay.io/podman/stable:v3.2.1 podman run --storage-driver=vfs -v /proc:/proc alpine echo hello
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b
Copying config sha256:d4ff818577bc193b309b355b02ebc9220427090057b54a59e73b79bdfe139b83
Writing manifest to image destination
Storing signatures
time="2021-06-29T20:46:10Z" level=error msg="Error while applying layer: ApplyLayer exit status 1 stdout:  stderr: remount /, flags: 0x44000: permission denied"
Error: Error committing the finished image: error adding layer with blob "sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b": ApplyLayer exit status 1 stdout:  stderr: remount /, flags: 0x44000: permission denied


$ docker run --security-opt label=disable --security-opt seccomp=unconfined quay.io/podman/stable:v3.2.1 podman run --storage-driver=vfs -v /proc:/proc alpine echo hello
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b
Copying config sha256:d4ff818577bc193b309b355b02ebc9220427090057b54a59e73b79bdfe139b83
Writing manifest to image destination
Storing signatures
time="2021-06-29T20:46:19Z" level=error msg="Error while applying layer: ApplyLayer exit status 1 stdout:  stderr: remount /, flags: 0x44000: permission denied"
Error: Error committing the finished image: error adding layer with blob "sha256:5843afab387455b37944e709ee8c78d7520df80f8d01cf7f861aae63beeddb6b": ApplyLayer exit status 1 stdout:  stderr: remount /, flags: 0x44000: permission denied

[lmgray]

works with --privileged -- did not used to need this (podman <= 3.2.1) and not an option with docker build ...

$ docker run --privileged quay.io/podman/stable:v3.2.1 podman --storage-driver=vfs version
Version:      3.2.1
API Version:  3.2.1
Go Version:   go1.16.3
Built:        Mon Jun 14 19:12:29 2021
OS/Arch:      linux/amd64

$ docker run --privileged quay.io/podman/stable:v3.2.1 podman --storage-driver=vfs info --debug
host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers:
  - cpuset
  - cpu
  - cpuacct
  - blkio
  - memory
  - devices
  - freezer
  - net_cls
  - perf_event
  - net_prio
  - hugetlb
  - pids
  - rdma
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.27-2.fc34.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.27, commit: '
  cpus: 2
  distribution:
    distribution: fedora
    version: "34"
  eventLogger: file
  hostname: 04d64a2642e6
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.4.0-74-generic
  linkmode: dynamic
  memFree: 375701504
  memTotal: 4127293440
  ociRuntime:
    name: crun
    package: crun-0.20.1-1.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.20.1
      commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 21468762112
  swapTotal: 21474828288
  uptime: 490h 2m 33.74s (Approximately 20.42 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus: {}
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.2.1
  Built: 1623697949
  BuiltTime: Mon Jun 14 19:12:29 2021
  GitCommit: ""
  GoVersion: go1.16.3
  OsArch: linux/amd64
  Version: 3.2.1

[lmgray]

seems --security-opt seccomp=unconfined is enough:

$ docker run  --security-opt seccomp=unconfined quay.io/podman/stable:v3.2.1 podman --storage-driver=vfs info --debug
host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.27-2.fc34.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.27, commit: '
  cpus: 2
  distribution:
    distribution: fedora
    version: "34"
  eventLogger: file
  hostname: 84ed2a5932f1
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 0
      size: 1
    - container_id: 1
      host_id: 1
      size: 4294967294
    uidmap:
    - container_id: 0
      host_id: 0
      size: 1
    - container_id: 1
      host_id: 1
      size: 4294967294
  kernel: 5.4.0-74-generic
  linkmode: dynamic
  memFree: 348037120
  memTotal: 4127293440
  ociRuntime:
    name: crun
    package: crun-0.20.1-1.fc34.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.20.1
      commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/0/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.9-1.fc34.x86_64
    version: |-
      slirp4netns version 1.1.8+dev
      commit: 6dc0186e020232ae1a6fcc1f7afbc3ea02fd3876
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.0
  swapFree: 21468762112
  swapTotal: 21474828288
  uptime: 490h 6m 24.15s (Approximately 20.42 days)
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /root/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus: {}
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.2.1
  Built: 1623697949
  BuiltTime: Mon Jun 14 19:12:29 2021
  GitCommit: ""
  GoVersion: go1.16.3
  OsArch: linux/amd64
  Version: 3.2.1

[lmgray]

--security-opt seccomp=unconfined doesn't seem to be an option to perform docker builds:

$ docker build -t test --security-opt seccomp=unconfined .
Sending build context to Docker daemon   2.56kB
Error response from daemon: The daemon on this platform does not support setting security options on build

[rhatdan]

Why would you need to?

[lmgray]

podman/buildah is not a mature, drop-in replacement for docker for container builds in jenkins pipelines.  We support a common Jenkins CICD pipeline used across numerous teams to build hundreds of projects, most of which are not interested in making the switch to podman.  We will need to support docker as a container build tool for some time as we try to increase podman adoption.

Until the 3.2.x versions, we've been able to maintain a single Jenkins agent with both docker and podman (as well as a long list of other build tools) -- if we can't support docker and podman side-by-side, it's going to be difficult to increase podman adoption. For example, we use docker for most container builds, but have adopted Pod Manager container signing (skopeo copy --sign-by, podman push --sign-by) for image signing and verification.

If running podman in docker/kubernetes isn't a supported configuration, we've got some rethinking to do.  Was this a known/intentional change in 3.2.x?

[rhatdan]

Sure, but I am asking why docker build has a relation to Podman. Are you using docker build against a Podman backend?

[lmgray]

No, we're using podman in a docker (kubernetes pod) container "back end".  Our CICD infrastructure is Jenkins hosted in IBM Cloud -- our Jenkins agents are Centos 8 containers running as IBM Cloud kubernetes pods.  These Centos 8 containers have podman installed (and docker and other tools).  Within these pods, we perform docker builds.  So, we have a container running in kubernetes that does docker builds (docker-in-docker) that need to execute podman commands.  As of podman 3.2.1, we found this no longer works (see above) for example of docker build that no longer works when run in a container.  We can't run a docker build with a Dockerfile that installs and executes podman commands.  Follow up testing shows it's not jenkins or kubernetes -- or docker build.  There seems to be a new requirement for podman 3.2.1 running in containers to have privileges that weren't needed before -- privileges we can't seem to grant to a docker build.

Simplest example, we can't docker build the following to bootstrap our podman build image with podman 3.2.1 (worked with 3.1.2):

FROM centos:8

USER root

RUN dnf -y module disable container-tools \
    && dnf -y install 'dnf-command(copr)' \
    && dnf -y copr enable rhcontainerbot/container-selinux \
    && curl -sSL -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_8/devel:kubic:libcontainers:stable.repo

RUN dnf -y install podman


RUN podman --storage-driver=vfs info --debug

[lmgray]

Thinking about this more...  for our use case, I think we only need to use podman during a docker build when we're building our build agent (i.e. bootstrapping it).  When building our jenkins agent, we install podman and then run podman version and podman info to test the install -- but could live without that I suppose.  Later in the jenkins agent build, we use podman image trust set ... to set some defaults -- can probably postpone that so instead of baking the settings into the jenkins agent, do them at runtime where we're running docker-in-docker docker builds but probably not using podman within docker builds.  I'll explore workarounds for our use case, but I think it's unfortunate if we're saying "running podman > 3.1 in a docker build isn't supported"...  Again, I wonder what changed in podman 3.2 and was it by design?

[rhatdan]

Running podman within a Docker build is going to be difficult, for a lot of use cases. What you are seeing is we moved some of the commands under the user namespace when the CAP_SYS_ADMIN capability is not allowed.
If you run docker build --cap-add CAP_SYS_ADMIN ... Podman would probably work.

[rhatdan]

Oops docker build does not have --cap-add, but podman build does.

[lmgray]

OK, sounds like this was a choice -- makes me sad because it runs counter to the main "What is Podman" value prop: https://podman.io/whatis.html#what-is-podman-simply-put-alias-dockerpodman

I'll work on refactoring our Jenkins agent build to not use podman in the docker build context.

[rhatdan]

Well No if you want to have podman inside of a container talking to podman service on the host, then that will work without User Namespace. This is what Docker In Docker does, I believe. I don't think you can run docker containers within a docker build?

podman --remote will work if you leak the podman socket from the host into the container.

[lmgray]

I don't think you can run docker containers within a docker build?

That might well not work -- never tried...   I wasn't trying to run containers with podman.  Previously, using podman version, podman info, commands after podman install to confirm it's installed properly and podman image trust set to prep the image for using podman (in privileged mode) to run builds worked -- never thought about what it was really trying to do...

version, info, image commands worked with podman < 3.2 but apparently no longer possible.  For our use case, I think we can move that setup from image build time to container run time where we're in privileged mode and I think this should work.

OK to close as "works as designed"

[rhatdan]

Thanks, sorry about breaking your workflow. You can always get rid of docker engine on the host and switch to Podman everywhere. :^)

[lmgray]

Podman's not an easy swap in Jenkins workflows I'm afraid -- no great love for docker, but podman isn't CLI compatible enough to "alias podman=docker" yet.  Hopefully in time!

[fooishbar]

@rhatdan It looks like we're hitting this using the freedesktop.org ci-templates for GitLab CI builds. Those builds execute in a runc (because that's what GitLab upstream maintains for the CI runner) environment and then go on to use podman/buildah/skopeo (because they're nice tools).

Unfortunately this doesn't work anymore, even when the CI containers are run with the equivalent of --privileged. We can add unconfined seccomp to that, but that seems like a global decrease in security to support podman's desire to locally increase security? gitlab-runner can run Podman instead of runc as its native backend, but that would mean a) our entire CI infrastructure relies on a single-person GitHub repo, and b) more time doing this and less time writing window systems. A lot of our infrastructure also runs on k3s which also only supports containerd.

Not whinging here or demanding a revert, but hopefully this helps you understand some of the uses people have for podman and why running Podman under containerd is unavoidable sometimes. Thanks for all the tooling.

[rhatdan]

My understanding of this is that podman info used to work without the clone. But podman run, start, mount, umount ... Would not work without clone. Are you seeing something different, if so then lets move to a new issue.

[mheon]

Did we ever verify what caused this? Because I would lean towards a change in the Seccomp profile of the outer container, as opposed to a change to Podman itself - I cannot imagine rootless Podman (beyond trivial commands - podman version, maybe podman info) ever worked without clone being allowed so we can create a new user namespace. The user namespace requirement is fundamental for rootless containers.

[cevich]

Did we ever verify what caused this

I don't think so. I seem to recall a time when podman version DID work without clone (under docker, as rootless), then suddenly stopped. But I could easily be mistaken. For my use-case, I worked around it by using --version instead. In other words, it's entirely possible something was overlooked or not scrutinized enough.

[lmgray]

was working prior to release of podman 3.2.1 (i.e. worked until last week under podman 3.1.2)

podman version , podman info , podman image trust set ... were all working in 3.1.2 -- broke for me with 3.2.x

Used them to verify, initialize podman config in Jenkins jnlp agent docker build -- had to move all that to run time when the container is running --privileged as we couldn't find a way to grant needed privs in docker build context

[mheon]

There were no direct changes to the way we call clone() - last change to that happened in 2018. From the manpage for clone() there are cases where it can EPERM, but they are all fundamentally environment issues, and I don't think any of them changed 3.1.x to 3.2.x.

However, digging through the changelog, I did find a very suspicious commit: Podman, as of 3.2.x, will (when run as root in an environment without CAP_SYS_ADMIN - which seems to describe the current case very well) attempt to use the rootless setup code to configure a user namespace so we can run containers in confined environments. The podman info provided before backs up the fact that Podman is running as root inside the container, and since it's not privileged CAP_SYS_ADMIN should not be available - I think this is it. This code never ran before 3.2.x because we were not creating the user namespace - that's why we're only being blocked by Seccomp (or one of the environment conditions I listed before) as of now.

It seems reasonable that a very limited subset of commands work without CAP_SYS_ADMIN and thus would be usable on 3.1.x inside such containers (creating containers almost certainly would not).

@rhatdan I believe this was your code, PTAL.

[mheon]

As to why Podman-in-Podman works but Podman-in-Docker does not, our default Seccomp policy allows CLONE_NEWUSER while theirs does not.

[rhatdan]

I made changes to fix a bug to move most of these commands into the user namespace which is why they are failing now.

[appmana-accounts]

This is a real bug, should I just keep using 3.1.x? Is there an easy way to install just this version in a docker container?