sysbox icon indicating copy to clipboard operation
sysbox copied to clipboard

Published 20 hours ago verified publisher icon nestybox

Extend sysbox to allow podman's rootful containers to run within sys-containers

Open rodnymolina opened this issue 5 years ago • 4 comments

The goal here is to allow Sysbox to run podman inside a system container. Refer to this podman issue for details about the use-case.

After analyzing the issue and making a few adjustments to sysbox i'm now running into this one:

rmolina@dev-vm1:~$ docker run -it --rm --device=/dev/fuse --runtime=sysbox-runc quay.io/podman/stable bash
[root@c9f908a8ef7a /]#

[root@c9f908a8ef7a /]# podman run hello-world
Trying to pull registry.fedoraproject.org/hello-world...
  manifest unknown: manifest unknown
Trying to pull registry.access.redhat.com/hello-world...
  name unknown: Repo not found
Trying to pull registry.centos.org/hello-world...
  manifest unknown: manifest unknown
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 [--------------------------------------] 0.0b / 0.0b
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
Error: openat2 `proc`: Operation not permitted: OCI runtime permission denied error
[root@c9f908a8ef7a /]#

<-- Strace output below -- note that syscall 0x1b5 == 437 == openat2() ...

[pid 2968594] 16:46:16 syscall_0x1b5(0x6, 0x55f30681c180, 0x7ffdc8e34730, 0x18, 0, 0x28000000000000) = -1 EPERM (Operation not permitted) <0.000006>
[pid 2968594] 16:46:16 close(6)         = 0 <0.000007>
[pid 2968594] 16:46:16 write(7, "\1\0\0\0\1\0\0\0openat2 `proc`\0", 23) = 23 <0.000018>
[pid 2968594] 16:46:16 exit_group(1 <unfinished ...>

Looks like a seccomp issue preventing openat2() execution. The fix may need to extend libseccomp as openat2() doesn't seem to be supported (at least not in our private version). If that's the case, and we see nothing else, i believe the fix for this one should be an easy one.

/cc @felipecrs @rhatdan @giuseppe

rodnymolina avatar Oct 22 '20 21:10 rodnymolina

yes, I agree the fix should be in the seccomp profile to allow openat2. Alternatively we could tweak crun to attempt the fallback code anytime openat2 fails, even with EPERM.

giuseppe avatar Oct 23 '20 06:10 giuseppe

i believe the fix for this one should be an easy one.

Hi, had been any updates on this issue since?

XVilka avatar Sep 21 '22 04:09 XVilka

@XVilka, unfortunately, no, we haven't prioritized this one yet. If you don't mind, can you please explain the use-case that you have in mind and why podman is a must-have for you (instead of docker within sysbox containers)? Thanks.

rodnymolina avatar Sep 21 '22 05:09 rodnymolina

@rodnymolina sorry for the late answer. In RedHat distributions podman is more common than Docker (and often a default choice), thus allowing integration with Podman makes running such containers much easier.

XVilka avatar Sep 26 '22 08:09 XVilka