runc
runc copied to clipboard
Published
20 hours ago •
opencontainers
opencontainers
OCI runtime exec failed: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown
I wonder if this is related to https://github.com/opencontainers/runc/pull/3504?
I wonder if this is related to #3504?
OK, looks like it is.
I've added the following debug patch to the tip of release-1.1 branch:
diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
index 5a68a3cf..b153ec51 100644
--- a/libcontainer/cgroups/systemd/common.go
+++ b/libcontainer/cgroups/systemd/common.go
@@ -295,6 +295,8 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err
// have a corresponding path.
if _, err := os.Stat(entry.Path); err == nil {
deviceAllowList = append(deviceAllowList, entry)
+ } else {
+ logrus.Warnf("Skipping device %+v: %w", entry, err)
}
}
and got the following output (from one of the tests -- doesn't matter):
runc run -d --console-socket /tmp/bats-run-JcLxzP/runc.7sdPPv/tty/sock test_busybox (status=0):
time="2022-08-10T16:47:33-07:00" level=warning msg="Skipping device {Path:block-* Perms:m}: %!w(*fs.PathError=&{stat block-* 2})"
time="2022-08-10T16:47:33-07:00" level=warning msg="Skipping device {Path:char-* Perms:m}: %!w(*fs.PathError=&{stat char-* 2})"
time="2022-08-10T16:47:33-07:00" level=warning msg="Skipping device {Path:char-pts Perms:rwm}: %!w(*fs.PathError=&{stat char-pts 2})"
So, what happens, I guess, is:
- With #3504 in place, we are not longer adding
char-pts rwmrule to the container'sDeviceAllowsystemd unit property. - The fact that the rule is excluded doesn't matter, since we also apply the rules directly (for cgroup v1, by writing to
devices.allow) -
systemctl daemon-reloadreapplies theDeviceAllowrules, thus removing the char-pts rule.
Fix is coming.
Trying to make a test for this in https://github.com/opencontainers/runc/pull/3555, alas it's not failing.