"/sys" caused: mount through procfd: operation not permitted: OCI permission denied

[jianzhangbjz]

Issue Description

Podman run failed at the followings,

[cloud-user@preserve-olm-env2 jian]$ podman run --group-add keep-groups --privileged --rm -ti quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx
Error: runc: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:75: mounting "sysfs" to rootfs at "/sys" caused: mount through procfd: operation not permitted: OCI permission denied

Steps to reproduce the issue

Steps to reproduce the issue

1. Podman pull an image, such as

[cloud-user@preserve-olm-env2 jian]$ podman pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx
...

2. Run podman run --group-add keep-groups --privileged --rm -ti quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx

Describe the results you received

[cloud-user@preserve-olm-env2 jian]$ podman run --log-level=debug  --group-add keep-groups --privileged --rm -ti quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx
INFO[0000] podman filtering at log level debug          
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level=debug --group-add keep-groups --privileged --rm -ti quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx) 
DEBU[0000] Merged system config "/usr/share/containers/containers.conf" 
DEBU[0000] Using conmon: "/usr/bin/conmon"              
DEBU[0000] Initializing boltdb state at /home/cloud-user/.local/share/containers/storage/libpod/bolt_state.db 
DEBU[0000] Using graph driver overlay                   
DEBU[0000] Using graph root /home/cloud-user/.local/share/containers/storage 
DEBU[0000] Using run root /run/user/1000/containers     
DEBU[0000] Using static dir /home/cloud-user/.local/share/containers/storage/libpod 
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp      
DEBU[0000] Using volume path /home/cloud-user/.local/share/containers/storage/volumes 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: storage already configured with a mount-program 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false 
DEBU[0000] Initializing event backend file              
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument 
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument 
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument 
DEBU[0000] Using OCI runtime "/usr/bin/runc"            
INFO[0000] Setting parallel job count to 25             
DEBU[0000] Pulling image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx (policy: missing) 
DEBU[0000] Looking up image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" in local containers storage 
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] } 
DEBU[0000] Trying "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" ... 
DEBU[0000] parsed reference into "[overlay@/home/cloud-user/.local/share/containers/storage+/run/user/1000/containers]@xxxx" 
DEBU[0000] Found image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" as "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" in local containers storage 
DEBU[0000] Found image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" as "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" in local containers storage ([overlay@/home/cloud-user/.local/share/containers/storage+/run/user/1000/containers]@xxxx) 
DEBU[0000] Looking up image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" in local containers storage 
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] } 
DEBU[0000] Trying "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" ... 
DEBU[0000] parsed reference into "[overlay@/home/cloud-user/.local/share/containers/storage+/run/user/1000/containers]@xxxx" 
DEBU[0000] Found image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" as "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" in local containers storage 
DEBU[0000] Found image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" as "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" in local containers storage ([overlay@/home/cloud-user/.local/share/containers/storage+/run/user/1000/containers]@xxxx) 
DEBU[0000] Looking up image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" in local containers storage 
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux  [] } 
DEBU[0000] Trying "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" ... 
DEBU[0000] parsed reference into "[overlay@/home/cloud-user/.local/share/containers/storage+/run/user/1000/containers]@xxxx" 
DEBU[0000] Found image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" as "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" in local containers storage 
DEBU[0000] Found image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" as "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx" in local containers storage ([overlay@/home/cloud-user/.local/share/containers/storage+/run/user/1000/containers]@xxxx) 
DEBU[0000] Inspecting image xxxx 
DEBU[0000] exporting opaque data as blob "sha256:xxxx" 
DEBU[0000] exporting opaque data as blob "sha256:xxxx" 
DEBU[0000] exporting opaque data as blob "sha256:xxxx" 
DEBU[0000] Inspecting image xxxx 
DEBU[0000] Inspecting image xxxx 
DEBU[0000] Inspecting image xxxx 
DEBU[0000] using systemd mode: false                    
DEBU[0000] No hostname set; container's hostname will default to runtime default 
DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" 
DEBU[0000] Allocated lock 2 for container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e 
DEBU[0000] parsed reference into "[overlay@/home/cloud-user/.local/share/containers/storage+/run/user/1000/containers]@xxxx" 
DEBU[0000] exporting opaque data as blob "sha256:xxxx" 
DEBU[0000] Created container "773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e" 
DEBU[0000] Container "773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e" has work directory "/home/cloud-user/.local/share/containers/storage/overlay-containers/773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e/userdata" 
DEBU[0000] Container "773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e" has run directory "/run/user/1000/containers/overlay-containers/773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e/userdata" 
DEBU[0000] Handling terminal attach                     
DEBU[0000] Made network namespace at /run/user/1000/netns/netns-09a18519-d352-3259-e0fa-2ff4ffadcc57 for container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e 
DEBU[0000] [graphdriver] trying provided driver "overlay" 
DEBU[0000] overlay: storage already configured with a mount-program 
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false 
DEBU[0000] Cached value indicated that overlay is not supported 
DEBU[0000] Check for idmapped mounts support            
DEBU[0000] overlay: mount_data=lowerdir=/home/cloud-user/.local/share/containers/storage/overlay/l/FNZMAJPV5IQ2YJFYXB7UPJAKJJ:/home/cloud-user/.local/share/containers/storage/overlay/l/OCYN2UP2ZBAM3XRDNWPTSZ25PN:/home/cloud-user/.local/share/containers/storage/overlay/l/7HMAIJP2WEZWSP267ZCBOENMOS:/home/cloud-user/.local/share/containers/storage/overlay/l/5N72EEDD3IX4VRX7SOPREWK4IH:/home/cloud-user/.local/share/containers/storage/overlay/l/C23APDLXUGX4XKCQ7SRBYENDOU,upperdir=/home/cloud-user/.local/share/containers/storage/overlay/2ee65475dd631c48466091564957a6b70a6a1b12f4a5fcd7ddbea5a5acc8fb87/diff,workdir=/home/cloud-user/.local/share/containers/storage/overlay/2ee65475dd631c48466091564957a6b70a6a1b12f4a5fcd7ddbea5a5acc8fb87/work,,volatile,context="system_u:object_r:container_file_t:s0:c1022,c1023" 
DEBU[0000] Mounted container "773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e" at "/home/cloud-user/.local/share/containers/storage/overlay/2ee65475dd631c48466091564957a6b70a6a1b12f4a5fcd7ddbea5a5acc8fb87/merged" 
DEBU[0000] slirp4netns command: /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/netns-09a18519-d352-3259-e0fa-2ff4ffadcc57 tap0 
DEBU[0000] Created root filesystem for container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e at /home/cloud-user/.local/share/containers/storage/overlay/2ee65475dd631c48466091564957a6b70a6a1b12f4a5fcd7ddbea5a5acc8fb87/merged 
DEBU[0000] Modifying container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e /etc/passwd 
DEBU[0000] Modifying container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e /etc/group 
DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode subscription 
DEBU[0000] Set root propagation to "rslave"             
DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d 
DEBU[0000] Workdir "/" resolved to host path "/home/cloud-user/.local/share/containers/storage/overlay/2ee65475dd631c48466091564957a6b70a6a1b12f4a5fcd7ddbea5a5acc8fb87/merged" 
DEBU[0000] Created OCI spec for container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e at /home/cloud-user/.local/share/containers/storage/overlay-containers/773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e/userdata/config.json 
DEBU[0000] /usr/bin/conmon messages will be logged to syslog 
DEBU[0000] running conmon: /usr/bin/conmon               args="[--api-version 1 -c 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e -u 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e -r /usr/bin/runc -b /home/cloud-user/.local/share/containers/storage/overlay-containers/773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e/userdata -p /run/user/1000/containers/overlay-containers/773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e/userdata/pidfile -n exciting_lumiere --exit-dir /run/user/1000/libpod/tmp/exits --full-attach -l k8s-file:/home/cloud-user/.local/share/containers/storage/overlay-containers/773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e/userdata/ctr.log --log-level debug --syslog -t --conmon-pidfile /run/user/1000/containers/overlay-containers/773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/cloud-user/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/1000/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg cgroupfs --exit-command-arg --tmpdir --exit-command-arg /run/user/1000/libpod/tmp --exit-command-arg --network-config-dir --exit-command-arg  --exit-command-arg --network-backend --exit-command-arg cni --exit-command-arg --volumepath --exit-command-arg /home/cloud-user/.local/share/containers/storage/volumes --exit-command-arg --runtime --exit-command-arg runc --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg file --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e]"
INFO[0000] Failed to add conmon to cgroupfs sandbox cgroup: error creating cgroup for cpu: mkdir /sys/fs/cgroup/cpu/conmon: permission denied 
DEBU[0000] Received: -1                                 
DEBU[0000] Cleaning up container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e 
DEBU[0000] Tearing down network namespace at /run/user/1000/netns/netns-09a18519-d352-3259-e0fa-2ff4ffadcc57 for container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e 
DEBU[0000] Unmounted container "773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e" 
DEBU[0000] Removing container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e 
DEBU[0000] Cleaning up container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e 
DEBU[0000] Network is already cleaned up, skipping...   
DEBU[0000] Container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e storage is already unmounted, skipping... 
DEBU[0000] Removing all exec sessions for container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e 
DEBU[0000] Container 773efe875c87744a4f63c7c9b9daaa28d7cc2ff8d0686bba79e38b499f5b671e storage is already unmounted, skipping... 
DEBU[0000] ExitCode msg: "runc: time=\"2023-07-31t10:34:48+08:00\" level=warning msg=\"unable to get oom kill count\" error=\"no directory specified for memory.oom_control\"\ntime=\"2023-07-31t10:34:48+08:00\" level=error msg=\"container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:75: mounting \\\"sysfs\\\" to rootfs at \\\"/sys\\\" caused: mount through procfd: operation not permitted\": oci permission denied" 
Error: runc: time="2023-07-31T10:34:48+08:00" level=warning msg="unable to get oom kill count" error="no directory specified for memory.oom_control"
time="2023-07-31T10:34:48+08:00" level=error msg="container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:75: mounting \"sysfs\" to rootfs at \"/sys\" caused: mount through procfd: operation not permitted": OCI permission denied

It works well with sudo.

[cloud-user@preserve-olm-env2 jian]$ sudo podman run --rm -ti quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:xxx
bash-4.4$ 

Describe the results you expected

Run it well without sudo.

podman info output

[cloud-user@preserve-olm-env2 jian]$ podman info
host:
  arch: amd64
  buildahVersion: 1.26.2
  cgroupControllers: []
  cgroupManager: cgroupfs
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.32-1.module+el8.5.0+13852+150547f7.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.32, commit: 4b12bce835c3f8acc006a43620dd955a6a73bae0'
  cpuUtilization:
    idlePercent: 99.84
    systemPercent: 0.04
    userPercent: 0.12
  cpus: 8
  distribution:
    distribution: '"rhel"'
    version: "8.4"
  eventLogger: file
  hostname: preserve-olm-env2
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 4.18.0-287.el8.dt4.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 728215552
  memTotal: 16600383488
  networkBackend: cni
  ociRuntime:
    name: runc
    package: runc-1.0.3-1.module+el8.5.0+13556+7f055e70.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.3
      spec: 1.0.2-dev
      go: go1.16.7
      libseccomp: 2.5.1
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.8-1.module+el8.5.0+12582+56d94c81.x86_64
    version: |-
      slirp4netns version 1.1.8
      commit: d361001f495417b880f20329121e3aa431a8f90f
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 0
  swapTotal: 0
  uptime: 1147h 2m 23.88s (Approximately 47.79 days)
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /home/cloud-user/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 0
    stopped: 1
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/cloud-user/.local/share/containers/storage
  graphRootAllocated: 128731557888
  graphRootUsed: 87484362752
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 27
  runRoot: /run/user/1000/containers
  volumePath: /home/cloud-user/.local/share/containers/storage/volumes
version:
  APIVersion: 4.1.1
  Built: 1657551413
  BuiltTime: Mon Jul 11 22:56:53 2022
  GitCommit: ""
  GoVersion: go1.17.7
  Os: linux
  OsArch: linux/amd64
  Version: 4.1.1

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

Can you test the with the latest version. Did you try it with crun instead of runc?

cc @giuseppe

[jianzhangbjz]

Did you try it with crun instead of runc?

Seems like crun works, as follows,

[cloud-user@preserve-olm-env2 jian]$ podman run --rm -ti --entrypoint /bin/bash  registry.ci.openshift.org/ocp/4.14@sha256:8235c041ce1cb343b27301743414e31b7ab0fa9c57a0217fba4cd892d32e3e42
Error: runc: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:75: mounting "sysfs" to rootfs at "/sys" caused: mount through procfd: operation not permitted: OCI permission denied
[cloud-user@preserve-olm-env2 jian]$ 
[cloud-user@preserve-olm-env2 jian]$ podman --runtime crun run --rm -ti --entrypoint /bin/bash  registry.ci.openshift.org/ocp/4.14@sha256:8235c041ce1cb343b27301743414e31b7ab0fa9c57a0217fba4cd892d32e3e42
[root@8ca488ca7e98 /]# 

Can you test the with the latest version

Will try it later.

[jianzhangbjz]

Upgrade podman to 4.5.1 by using $ sudo yum upgrade -y podman,

[cloud-user@preserve-olm-env2 podman]$ podman version
Client:       Podman Engine
Version:      4.5.1
API Version:  4.5.1
Go Version:   go1.20.4
Built:        Thu Jun 15 18:01:33 2023
OS/Arch:      linux/amd64

But, still encounter this issue with runc, but crun works well.

[cloud-user@preserve-olm-env2 podman]$ podman run --rm -ti --entrypoint /bin/bash  registry.ci.openshift.org/ocp/4.14@sha256:8235c041ce1cb343b27301743414e31b7ab0fa9c57a0217fba4cd892d32e3e42
Error: runc: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:75: mounting "sysfs" to rootfs at "/sys" caused: mount through procfd: operation not permitted: OCI permission denied

[rhatdan]

@giuseppe PTAL

[giuseppe]

Likely there is not a fully visible /sys mount available in your environment. crun has a fallback to bind mount /sys if a sysfs mount could not be used while runc fails.

What is the environment where you are running your container?

Could you share the output of cat /proc/self/mountinfo?

[jianzhangbjz]

Sure, as follows,

[cloud-user@preserve-olm-env2 podman]$ cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.4 (Ootpa)
[cloud-user@preserve-olm-env2 podman]$ uname -a 
Linux preserve-olm-env2 4.18.0-287.el8.dt4.x86_64 #1 SMP Thu Feb 18 13:31:55 EST 2021 x86_64 x86_64 x86_64 GNU/Linux
[cloud-user@preserve-olm-env2 podman]$ cat /proc/self/mountinfo
22 99 0:21 / /sys rw,nosuid,nodev,noexec,relatime shared:3 - sysfs sysfs rw,seclabel
23 99 0:5 / /proc rw,nosuid,nodev,noexec,relatime shared:27 - proc proc rw
24 99 0:6 / /dev rw,nosuid shared:23 - devtmpfs devtmpfs rw,seclabel,size=8071292k,nr_inodes=2017823,mode=755
25 22 0:7 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:4 - securityfs securityfs rw
26 24 0:22 / /dev/shm rw,nosuid,nodev shared:24 - tmpfs tmpfs rw,seclabel
27 24 0:23 / /dev/pts rw,nosuid,noexec,relatime shared:25 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=000
28 99 0:24 / /run rw,nosuid,nodev shared:26 - tmpfs tmpfs rw,seclabel,mode=755
29 22 0:25 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:5 - tmpfs tmpfs ro,seclabel,mode=755
30 29 0:26 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:6 - cgroup cgroup rw,seclabel,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
31 22 0:27 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:18 - pstore pstore rw,seclabel
32 22 0:28 / /sys/fs/bpf rw,nosuid,nodev,noexec,relatime shared:19 - bpf bpf rw,mode=700
33 29 0:29 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:7 - cgroup cgroup rw,seclabel,devices
34 29 0:30 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:8 - cgroup cgroup rw,seclabel,cpu,cpuacct
35 29 0:31 / /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:9 - cgroup cgroup rw,seclabel,pids
36 29 0:32 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:10 - cgroup cgroup rw,seclabel,net_cls,net_prio
37 29 0:33 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,seclabel,freezer
38 29 0:34 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:12 - cgroup cgroup rw,seclabel,memory
39 29 0:35 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:13 - cgroup cgroup rw,seclabel,perf_event
40 29 0:36 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:14 - cgroup cgroup rw,seclabel,cpuset
41 29 0:37 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,seclabel,blkio
42 29 0:38 / /sys/fs/cgroup/rdma rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,seclabel,rdma
43 29 0:39 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,seclabel,hugetlb
44 22 0:12 / /sys/kernel/tracing rw,relatime shared:20 - tracefs none rw,seclabel
96 22 0:41 / /sys/kernel/config rw,relatime shared:21 - configfs configfs rw
99 1 252:3 / / rw,relatime shared:1 - xfs /dev/vda3 rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
102 99 0:40 / /var/lib/nfs/rpc_pipefs rw,relatime shared:2 - rpc_pipefs rpc_pipefs rw
45 22 0:20 / /sys/fs/selinux rw,relatime shared:22 - selinuxfs selinuxfs rw
46 23 0:42 / /proc/sys/fs/binfmt_misc rw,relatime shared:28 - autofs systemd-1 rw,fd=35,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=19158
47 24 0:43 / /dev/hugepages rw,relatime shared:29 - hugetlbfs hugetlbfs rw,seclabel,pagesize=2M
48 24 0:19 / /dev/mqueue rw,relatime shared:30 - mqueue mqueue rw,seclabel
49 22 0:8 / /sys/kernel/debug rw,relatime shared:31 - debugfs debugfs rw,seclabel
50 22 0:44 / /sys/fs/fuse/connections rw,relatime shared:32 - fusectl fusectl rw
119 99 252:17 / /data rw,relatime shared:65 - xfs /dev/vdb1 rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
122 99 252:2 / /boot/efi rw,relatime shared:67 - vfat /dev/vda2 rw,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro
396 46 0:48 / /proc/sys/fs/binfmt_misc rw,relatime shared:193 - binfmt_misc binfmt_misc rw
418 28 0:24 /netns /run/netns rw,nosuid,nodev shared:26 - tmpfs tmpfs rw,seclabel,mode=755
350 28 0:47 / /run/user/1000 rw,nosuid,nodev,relatime shared:187 - tmpfs tmpfs rw,seclabel,size=1621128k,mode=700,uid=1000,gid=1000

[jianzhangbjz]

Hi @giuseppe any updates? Thanks!

[giuseppe]

/sys/fs/cgroup has a read only bind mount so the kernel blocks mounting a fresh sys. The error from the kernel is expected.

crun has a fallback in this case, that is the difference with runc. I don't think podman should try to circumvent it, because it requires parsing the mounts table and that is known to be a relatively slow operation.

My suggestion is either use crun or add an explicit bind mount for /sys, -v /sys:/sys

[jianzhangbjz]

Thanks for your clarification! I'm clear now. /sys/fs/cgroup/ is writable, but maybe I need to upper the common user's permission. Like below,

[cloud-user@preserve-olm-env2 ~]$ mount | grep '/sys/fs/cgroup'
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,devices)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpu,cpuacct)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,pids)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,net_cls,net_prio)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,freezer)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,memory)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,perf_event)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpuset)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,blkio)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,rdma)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,hugetlb)

sudo groupadd cgroup_users
sudo usermod -a -G cgroup_users <xxx>
sudo chown -R root:cgroup_users /sys/fs/cgroup
sudo chmod -R g+rw /sys/fs/cgroup

But, anyway, it works well with -v /sys:/sys

[cloud-user@preserve-olm-env2 ~]$ podman run --rm -v /sys:/sys -ti --entrypoint /bin/bash  registry.ci.openshift.org/ocp/4.14@sha256:8235c041ce1cb343b27301743414e31b7ab0fa9c57a0217fba4cd892d32e3e42
[root@a6e13cce33ae /]# 

[rhatdan]

Moving this to a discussion. You could also open an issue with runc, to see if those developers are interested in the change that crun has done.

[jianzhangbjz]

Thanks for the suggestion! Here: opencontainers/runc#3970