Dear Reinhard Tartler, I have tried what you suggested, and indeed, it does work. See:
$ # CHECK BOTH CRUN AND RUNC ARE INSTALLED $ dpkg -s runc | grep -E '^Status' Status: install ok installed $dpkg -s crun | grep -E '^Status' Status: install ok installed $ # RUN COMMAND WITHOUT THE SUGGESTED WORKAROUND $ podman run --runtime runc --rm -it debian dateError: container_linux.go:367: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied
$ # RUN COMMAND WITH THE SUGGESTED WORKAROUND$ podman run --runtime runc --security-opt=seccomp=unconfined --rm -it debian date
Mon May 30 23:33:32 UTC 2022 Thanks, Vincent On 31/05/2022 04:28, Reinhard Tartler wrote:
I wonder whether this may be related to upstream report at https://github.com/containers/common/issues/631 <https://github.com/containers/common/issues/631>It seems that in debian/bullseye, podman is only able to work in crun, since the version of runc we have in stable seems to have issues with seccomp. Can you please try the following for me with both crun and runc installed:root@pve:~# podman run --runtime runc --security-opt=seccomp=unconfined --rm -it debian dateMon May 30 19:18:05 UTC 2022 That does appear to work at least on my system.This might indicate that this is actually a change that needs to go into golang-github-containers-common then...On Mon, May 30, 2022 at 9:15 AM Vicente Olivert Riera <vincent.olivert.ri...@gmail.com <mailto:vincent.olivert.ri...@gmail.com>> wrote:I've found the problem appears to be between podman and runc. I have runc installed in my system because I also use docker.io <http://docker.io>, and that package depends on it. runc is also a dependency of podman, so podman uses it. However, podman can also use crun. But, since runc was already installed, and podman can depend on either of them, crun was not installed as a dependecy. Now, if I manually install crun, podman works again and the error is gone. I think if podman finds that crun is installed, it will use it. Otherwise it will use runc as a fallback. Since both runc and crun packages can coexist in the system, I think a quick fix could be removing the runc dependency on podman, so it will always pull in crun as a dependency. At least until the root cause of this problem is found and fixed. -- regards, Reinhard
OpenPGP_0x5DE0950419F6E531.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature