-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running multiple rootless containers in parallel with toolbox-like UID mapping results in "conmon.pid: permission denied" #3187
Comments
So you ran @giuseppe PTAL |
(That error is actually exactly what |
@mheon One more thing to highlight which might be easy to miss in the logs. The error message in #2935 was with the old |
we managed to break it again when we dropped the intermediate namespace. I am going to work on a fix for toolbox. This should not happen anymore in future as we have a pause process, but let's have a workaround for now to not have another breaking change for existing running containers |
@jistr could try out the PR I've just opened? |
@giuseppe Thanks for such a quick fix. I will do my best to try when i get home (i'm not hitting this bug at work). I'm not a Go dev (go Rust! :D ) and my dev workflow on my home machine is a bit troublesome right now because of this very bug, so i can't promise results with certainty, but i'll try :). |
I reported a similar issue in Toolbox1, someone pointed this issue there (this issue may related to my original issue).
|
@debarshiray from the next 1.4 release rootless containers are out of tech preview and there won't be more breaking changes. I am going to work on something like |
I tested latest-at-the-time commit 6bca80bdfebf9d390ce1a9786ae6101c87f1322d and it does fix the issue for me. Thanks @giuseppe! Let me know if you want me to retest again with later/final version. Also +1 on the idea of |
move the logic for joining existing namespaces down to the rootless package. In main_local we still retrieve the list of conmon pid files and use it from the rootless package. In addition, create a temporary user namespace for reading these files, as the unprivileged user might not have enough privileges for reading the conmon pid file, for example when running with a different uidmap and root in the container is different than the rootless user. Closes: containers#3187 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Running Fedora Silverblue 30 with Podman 1.3.1, i can't run multiple containers with toolbox-like UID mapping in parallel. First i tought this is #2935 or #2673 but i no longer think so. I ran
podman system migrate
, and eventually i ran alsorm -rf .local/share/containers
, so the containers (and images too) were created on the most recent Podman, but none of that helped. This worked fine before -- i'm not sure which version of Podman i was using previously but i think it was 1.2.FYI @debarshiray, i guess this must be affecting toolbox on Silverblue 30.
Steps to reproduce the issue:
Here's a minimal reproducer script
test.sh
:Describe the results you received:
Run
./test.sh
for the first time, it prints "Hi from container." just once. On a subsequent run it prints "Hi from container." just once, but it's then also followed by errorconmon.pid: permission denied
. Full output and full error message below:Describe the results you expected:
The
test.sh
script should print "Hi from container." twice.Output of
podman version
:Output of
podman info --debug
:Additional environment details (AWS, VirtualBox, physical, etc.):
Physical host, Fedora Silverblue 30.
The text was updated successfully, but these errors were encountered: