boinc icon indicating copy to clipboard operation
boinc copied to clipboard
verified publisher icon BOINC

Fedora 42: Podman found but 'hello-world' test failed

Open Anvil5465 opened this issue 5 months ago • 4 comments

Describe the bug

Used the commands on the boinc website to install boinc, podman, and edit appropriate users/groups, but in the log, it states that podman was found but the 'hello-world' test failed on a fresh fedora 42 install. Otherwise BOINC works as it should

Steps to reproduce

  1. Install boinc and docker according to https://boinc.berkeley.edu/linux_install.php?action=submit&os_num=2&version_num=6&build=stable
  2. Hello-world test failed, and boinc is unable to use docker

Expected behavior

BOINC is able to use docker

Screenshots

No response

System information

  • OS: Fedora 42
  • BOINC version: 8.2.4

Additional context

If I run podman run hello-world as the user I use to login or as root, it works.

Anvil5465 avatar Sep 16 '25 22:09 Anvil5465

I consulted with an LLM which was able to fix the issue with the following changes:

  1. Let BOINC’s systemd unit manage its own cgroups ────────────────────────────────────────

sudo mkdir -p /etc/systemd/system/boinc-client.service.d cat <<'EOF' | sudo tee /etc/systemd/system/boinc-client.service.d/podman.conf [Service] Delegate=yes ProtectControlGroups=no EOF

sudo systemctl daemon-reload

──────────────────────────────────────── 2. Minimal SELinux module: allow execmem for the BOINC service domain (unconfined_service_t) ────────────────────────────────────────

cat <<'EOF' > boinc_podman.te module boinc_podman 1.0;

require { type unconfined_service_t; class process { execmem }; }

allow unconfined_service_t self:process execmem; EOF

checkmodule -M -m -o boinc_podman.mod boinc_podman.te semodule_package -o boinc_podman.pp -m boinc_podman.mod sudo semodule -i boinc_podman.pp

──────────────────────────────────────── 3. Make everything under /var/lib/boinc look like ordinary container data (container_file_t) ────────────────────────────────────────

Persistent rule

sudo semanage fcontext -a -t container_file_t '/var/lib/boinc(/.*)?'

Apply it to all existing / future files

sudo restorecon -Rv /var/lib/boinc

I tried a bunch of things though so there may be other steps necessary to get this up and running on a fresh fedora 42 install, but the bottom line seems to be that SELinux is the issue. I was getting permissions errors when trying to run hello-world as the boinc user, which no longer happens after implementing these changes.

Anvil5465 avatar Sep 17 '25 15:09 Anvil5465

downstream bugreport https://bugzilla.redhat.com/show_bug.cgi?id=2402420 I will run some tests as soon as possible and provide a feedback

Germano0 avatar Oct 07 '25 23:10 Germano0

To me the issue seems to be with SELinux. I was looking for why AMD GPUs were not working and discovered this: https://beko.famkos.net/2023/12/05/boinc-not-detecting-gpu-when-started-via-systemd/

From there, I discovered command ausearch, which to my understanding can print SELinux logs and with command sudo ausearch -c 'podman' I was able to check that SELinux could in fact be the reason with podman.

So the workaround for me was:

ausearch -c 'podman' --raw | audit2allow -M podman
semodule -i podman.pp

I also installed the podman-docker package, but I'm not sure whether that was really necessary.

jimboolio avatar Oct 26 '25 08:10 jimboolio

I added the workaround here: https://github.com/BOINC/boinc/wiki/Installing-Docker-on-Linux

I don't think podman-docker is needed.

davidpanderson avatar Oct 28 '25 01:10 davidpanderson