Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#68742 - [containers-common] Introducing the containers.conf as is broke podman run --network='host'

Attached to Project: Community Packages
Opened by Jonni Westphalen (swizzor) - Wednesday, 25 November 2020, 16:48 GMT
Last edited by David Runge (dvzrv) - Wednesday, 25 November 2020, 19:26 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To David Runge (dvzrv)
Morten Linderud (Foxboron)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

With introducing the containers-common package, the containers.conf was included, which was not done before.

This leads to the problem of not being able to use the network='host' option for podman run.

See e. g.

[jonny@jonny-arch-pc ~]$ sudo podman run --network='host' docker.io/hello-world
Error: sysctl "net.ipv4.ping_group_range" is not allowed in the hosts network namespace: OCI runtime error

This worked before, and the error is introduced by the following line of the containers.conf: https://github.com/containers/common/blob/966c55214abf716f21e17cddbf65eea7a1dcb6f0/pkg/config/containers.conf#L82

See e.g. this issue on GitHub: https://github.com/containers/podman/issues/8269

Possible fix:
Do not include the containers.conf or make sure that the containers.conf is compatible with Arch Linux
This task depends upon

Closed by  David Runge (dvzrv)
Wednesday, 25 November 2020, 19:26 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with containers-common 0.29.0-3
Comment by Jonni Westphalen (swizzor) - Wednesday, 25 November 2020, 17:26 GMT
I also opened an issue on GitHub, since I am not sure if the Podman devs are aware of the implications of the default containers.conf: https://github.com/containers/podman/issues/8482
Comment by Rodrigo (rzl) - Wednesday, 25 November 2020, 17:52 GMT
I have also had to add these capabilities to default_capabilities: AUDIT_WRITE, MKNOD, NET_RAW. Without these and without removing the mentioned sysctl from default_sysctls, I had this error:

$ podman --log-level=debug run --network=host docker.io/adminer:latest
[...]
Error: capset: Operation not permitted: OCI runtime permission denied error
Comment by David Runge (dvzrv) - Wednesday, 25 November 2020, 18:10 GMT
@swizzor: Thanks for the report (and opening an issue upstream as well)!

I will remove the offending sysctl entry. Depending on whether this is fixed by the next podman release (2.2.0) or not we can then remove the fix again (or remove it upstream).
Comment by David Runge (dvzrv) - Wednesday, 25 November 2020, 18:12 GMT
@rzl: The default_capabilities issue is related to  FS#68743 . It might be worth adding an upstream ticket for that as well.
Comment by Rodrigo (rzl) - Wednesday, 25 November 2020, 18:31 GMT Comment by David Runge (dvzrv) - Wednesday, 25 November 2020, 18:46 GMT
@swizzor, @rzl please test with containers-common 0.29.0-3
Comment by Rodrigo (rzl) - Wednesday, 25 November 2020, 18:52 GMT
It works for me, thank you.
Comment by Jonni Westphalen (swizzor) - Wednesday, 25 November 2020, 19:01 GMT
Works fine, thanks!

Loading...