Unable to run podman container on CentOS Stream 9
mohd-akram opened this issue · 0 comments
mohd-akram commented
On a newly-created Vagrant instance of CentOS Stream 9, I run:
sudo dnf install podman
sudo podman run -it --rm --log-level=debug docker.io/bitnami/mongodb:6.0You can see it crashes immediately. In /var/log/audit.log, there is:
type=AVC msg=audit(1670323793.223:651): avc: denied { read write } for pid=5215 comm="entrypoint.sh" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:con
tainer_t:s0:c353,c573 tcontext=system_u:object_r:container_file_t:s0:c353,c573 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1670323793.223:651): arch=c000003e syscall=59 success=yes exit=0 a0=564baa4c7200 a1=564baa4dfef0 a2=564baa4d22f0 a3=0 items=0 ppid=5213 pid=5215 aui
d=1000 uid=1001 gid=0 euid=1001 suid=1001 fsuid=1001 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="entrypoint.sh" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c353
,c573 key=(null)^]ARCH=x86_64 SYSCALL=execve AUID="vagrant" UID="unknown(1001)" GID="root" EUID="unknown(1001)" SUID="unknown(1001)" FSUID="unknown(1001)" EGID="root" SGID
="root" FSGID="root"
type=EXECVE msg=audit(1670323793.223:651): argc=3 a0="/bin/bash" a1="/opt/bitnami/scripts/mongodb/entrypoint.sh" a2="/opt/bitnami/scripts/mongodb/run.sh"
type=PROCTITLE msg=audit(1670323793.223:651): proctitle=2F62696E2F62617368002F6F70742F6269746E616D692F736372697074732F6D6F6E676F64622F656E747279706F696E742E7368002F6F70742
F6269746E616D692F736372697074732F6D6F6E676F64622F72756E2E7368
type=AVC msg=audit(1670323793.225:652): avc: denied { read } for pid=5215 comm="entrypoint.sh" path="/lib/x86_64-linux-gnu/libc-2.31.so" dev="dm-0" ino=259479 scontext=
system_u:system_r:container_t:s0:c353,c573 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1670323793.225:652): arch=c000003e syscall=10 success=no exit=-13 a0=7fe3fa5aa000 a1=4000 a2=1 a3=468 items=0 ppid=5213 pid=5215 auid=1000 uid=1001
gid=0 euid=1001 suid=1001 fsuid=1001 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="entrypoint.sh" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c353,c573 key=(null)
ARCH=x86_64 SYSCALL=mprotect AUID="vagrant" UID="unknown(1001)" GID="root" EUID="unknown(1001)" SUID="unknown(1001)" FSUID="unknown(1001)" EGID="root" SGID="root" FSGID=
"root"
This issue does not happen with images provided by the CentOS project. They don't provide a catalog file, but here is one:
{
"description": "",
"short_description": "",
"name": "centos/stream9",
"versions": [
{
"version": "20221129.1",
"status": "active",
"description_html": null,
"description_markdown": "",
"providers": [
{
"name": "virtualbox",
"url": "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-Vagrant-9-20221129.1.x86_64.vagrant-virtualbox.box",
"checksum": "e99b1d287df3d1d222881657059484d77e4ef940ae46dfc5af6f5d6c0f13e597",
"checksum_type": "sha256"
},
{
"name": "libvirt",
"url": "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-Vagrant-9-20221129.1.x86_64.vagrant-libvirt.box",
"checksum": "c46aa730c5ae97ce8fc2ea011685f6f73e79693b45d2a9e120fa924b1107e6a2",
"checksum_type": "sha256"
}
]
}
]
}and in the Vagrantfile:
Vagrant.configure("2") do |config|
config.vm.box = "centos/stream9"
config.vm.box_url = "./stream9.json"
end