-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Since kernel 6.1.28-rpi4, can't start pods or containers in rootless #18696
Comments
Please provide steps to reproduce this, how do you create/run the containers and pods? |
I create pods and containers in theses pods with ansible playbooks. This method is fully functionnal in all GNU/Linux based systems including WSL. The real user is named podman. I have no problem in Arch x86 or other distros. The problem is just with rpi4 in arm64 based kernel since 6.1.28 |
Why do think this is a podman bug? Sounds more like a kernel regression then. |
Playbook example all secret infos are censored:
|
That's why I send a bug here: They said, this bug is up to podman team |
After recreating the pod. It is now fully fuctionnal. BUT WHY ??? |
FYI, I said "The podman devs are still much more likely to know what is going wrong (especially when you've provided so little information)". |
Anyway for me the bug is solved. Don't know exactly if it's originally a podman bug or podman bug caused by last kernels. Sorry but you had all informations for a simple permission denied in RLIMIT config. The bug is solved by recreating the pods. It's not a good option I think especialy in prod env with lots of pods, but that's sufficiant for me. |
My best guess is that the NPROC limit changed between the two kernel versions, you can check with I think it is the same underlying issue as #18555 |
ulimit -u value has not changed between the change of kernel and not changed after recreating the pods...
Don't think this the same as #18555 |
I noticed the limit changes occasionally on my Fedora install. Every reboot it seems to have a chance of changing. From another comment I made:
|
Yeah I think it is clear now that we cannot treat NPROC as static. Thus we should not set the limit on container creation, instead set it on each start so it will be always based on current value. |
Fixed in #18721 so it will be in the next podman version. |
Issue Description
Since kernel 6.1.28-rpi4, can't start pods or containers in rootless (Arch Arm). Tested in two RPI4 devices. Downgrade to 6.1.27 solves the problem.
Podman Version
Client: Podman Engine
Version: 4.5.0
API Version: 4.5.0
Go Version: go1.20.4
Git Commit: 75e3c12-dirty
Built: Sun May 14 22:57:05 2023
OS/Arch: linux/arm64
Kernel
Linux 6.1.29-2-rpi-ARCH #1 SMP PREEMPT Thu May 25 05:17:11 MDT 2023 aarch64 GNU/Linux
Steps to reproduce the issue
Steps to reproduce the issue
Upgrade to kernel 6.1.28 and your rootless pods/containers are broken
Describe the results you received
This is the error:
Error: starting container 4d5fbe664ff0bf716556b20c774610e5eb058d2ff808a4265e65979f38502fac: a dependency of container 4d5fbe664ff0bf716556b20c774610e5eb058d2ff808a4265e65979f38502fac failed to start: container state improper Error: starting container 5637c53445934b36bd829a43380762f0d29a01ebb0d93702e424c6f7661d2377: crun: setrlimit
RLIMIT_NPROC: Operation not permitted: OCI permission denied
Describe the results you expected
Just wants my pods function
podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Additional environment details
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting
The text was updated successfully, but these errors were encountered: