Hello,

So the problem here is, again, linked to the fact that I'm using a test SELinux policy that doesn't contain all the needed contexts, so yeah it's a mix of configuration issue and the fact that podman is not ignoring these errors if SELinux is in permissive. I'll ping upstream again.

So the remaining problem here is iptables command not being installed (and the seccomp.json file missing to a lower extend)

Le 21/04/21 à 10:21, Laurent Bigonville a écrit :

Hello,

I just did a minimal test VM and... it indeed works...

I'll investigate why on my machine it's not working.

But, on the test VM, podman still fails because "iptables" is not installed, only "nft" is intalled by default now. So there is still a problem here.

Le 21/04/21 à 05:02, Reinhard Tartler a écrit :
Control: tag -1 moreinfo

Hi Laurent,

I've downloaded the Bullseye Alpha 3 debian installer and installed using kvm to have a super clean new system. Unfortunately, I was unable to reproduce the issue that you described below. (I did find some issues with rootless podman outside of a gnome-session, but that's a different story).

The symptoms sound a lot like described in this upstream bug: https://github.com/containers/podman/issues/5721 <https://github.com/containers/podman/issues/5721>

Can you please compare your notes with that upstream bug? Can you confirm that the 'overlay' kernel module is loaded? (in my test, it was loaded automatically). If you still think this is an issue in the Debian package, please let me know. I may require your assistance with reproducing this issue.

-rt

On Mon, Apr 19, 2021 at 11:54 AM Laurent Bigonville <bi...@debian.org <mailto:bi...@debian.org>> wrote:

    Package: podman
    Version: 3.0.1+dfsg1-1
    Severity: serious

    Hello,

    After installing podman, I cannot run it as root out of the box as it
    fails with:

    ERRO[0000] [graphdriver] prior storage driver overlay failed:
    kernel does not support overlay fs: 'overlay' is not supported
    over extfs at "/var/lib/containers/storage/overlay": backing file
    system is unsupported for this graph driver
    Error: kernel does not support overlay fs: 'overlay' is not
    supported over extfs at "/var/lib/containers/storage/overlay":
    backing file system is unsupported for this graph driver

    Looking at fedora it seems that they have a containers-common package
    that ships a default storage.conf file:

    
https://src.fedoraproject.org/rpms/containers-common/blob/rawhide/f/storage.conf
    
<https://src.fedoraproject.org/rpms/containers-common/blob/rawhide/f/storage.conf>

    I see that the debian package is shipping a file in
    /usr/share/containers/storage.conf (in the containers-storage
    package),
    but that file is apparently not read (strace only shows that the
    file in
    /etc/containers is read) and anyway unlike in fedora:

    1) the driver is not set to overlay
    2) the file is installed only if the containers-storage package is
    installed, which is not done by default.
    3) that file is not read anyway, strace only shows that
    /etc/containers/storage.conf is read and not
    /usr/share/containers/storage.conf, so the file is apparently useless

    Shouldn't debian do the same thing than fedora so everything
    works OOTB?

    As a side note, I can see they are shipping also other files as well,
    like the seccomp.json file, using strace, it seems that podman
    tries to
    read them:

    [pid 14835] newfstatat(AT_FDCWD, "/etc/containers/seccomp.json",
    0xc0000ee6b8, 0) = -1 ENOENT (Aucun fichier ou dossier de ce type)
    [pid 14835] newfstatat(AT_FDCWD,
    "/usr/share/containers/seccomp.json", 0xc0000ee788, 0) = -1
    ENOENT (Aucun fichier ou dossier de ce type)

    Shouldn't that file be shipped by default too?

    Kind regards,
    Laurent Bigonville

    -- System Information:
    Debian Release: 11.0
      APT prefers unstable-debug
      APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
    'experimental-debug'), (1, 'experimental')
    Architecture: amd64 (x86_64)

    Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads)
    Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8),
    LANGUAGE=fr_BE:fr
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

    Versions of packages podman depends on:
    ii  conmon                           2.0.25+ds1-1
    ii  containernetworking-plugins      0.9.0-1+b3
    ii  golang-github-containers-common  0.35.4+ds1-1
    ii  init-system-helpers              1.60
    ii  libc6                            2.31-11
    ii  libdevmapper1.02.1               2:1.02.175-2.1
    ii  libgpgme11                       1.14.0-1+b2
    ii  libseccomp2                      2.5.1-1
    ii  runc                             1.0.0~rc93+ds1-3

    Versions of packages podman recommends:
    ii  buildah  1.20.0+ds1-1
    ii  fuse-overlayfs 1.4.0-1
    ii  golang-github-containernetworking-plugin-dnsname 1.1.1+ds1-4+b4
    ii  slirp4netns  1.0.1-2
    ii  tini 0.19.0-1
    ii  uidmap 1:4.8.1-1

    Versions of packages podman suggests:
    ii  containers-storage  1.24.8+dfsg1-1+b1
    ii  docker-compose      1.25.0-1

    -- no debconf information



--
regards,
    Reinhard

Reply via email to