Error: crun: cannot stat `/run/containers/storage/overlay-containers/abc…/userdata/hosts`: Permission denied: OCI permission denied

[dilyanpalauzov]

trafficstars

I have kernel 5.10.226, conmon 2.1.13/de270e6eb90b3, crun 1.21.0.0.0.71-b812c/commit 52ed5880c4568/+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL, systemd 353.

I have a systemd unit with

ExecStart=/usr/local/bin/podman run -d --cap-add=IPC_LOCK --log-driver=none --net=host --read-only --read-only-tmpfs=false --mount type=bind,src=/etc/kamailio,dst=/conf --tty --rm=true -a=stderr -a=stdout --userns=auto:size=10 --name=kamailio --ipc=none localhost/kamailio:2024-04-05

With podman 5.5.0-dev/61f170ad00c5baef when I start the systemd unit I get

conmon 028349bf80504f730000 : Failed to receive console file descriptor Communication error on send

but when I run that ExecStart line directly, outside systemd, I get

Error: crun: cannot stat /run/containers/storage/overlay-containers/aee74d45809c27c85df2bea56273be6218bf07cbb6452c4d2302274a6ab3c9a6/userdata/resolv.conf: Permission denied: OCI permission denied

Finally,

strace -s2048 -f /usr/local/bin/podman run --cap-add=IPC_LOCK --net=host --read-only --read-only-tmpfs=false --mount type=bind,src=/etc/kamailio,dst=/conf --tty --rm=true -a=stderr -a=stdout --userns=auto:size=10 --name=kamailio --ipc=none localhost/kamailio:2024-04-05

produces this file: UU4.txt

The remarkable things is that sometimes the error message is about userdata/hosts and sometimes it is about userdata/resolv.conf

Moreover in the past it has worked, so some software upgrade caused it to stop working.

• Why crun says “Permission denied: OCI permission denied"?