-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
container fails to start with: failed to mount shm tmpfs: invalid argument #14376
Comments
If you remove and recreate the container does the problem go away? Also could you get the --log-level=debug logs for this. |
Yes. If I create a new container with the same arguments it starts successfully.
|
@mheon @vrothberg @giuseppe Ideas? |
Any chance there's still a tmpfs mounted at the path Podman is trying to mount to? Maybe we failed to clean up the shm from the first time the container was run? |
That isn't the case:
The
|
One potential idea. |
That may be it. I disabled SELinux to see if it had to do with #14365. |
Guaranteed that it what this is. Basically the context="..." is blowing on on a non SELinux machine. |
Would it make sense for |
I am not sure what would be the correct thing to do here. The database says the container wants SELinux and SELinux is failing. |
If SELinux is disabled on the system, the SELinux container configuration could be ignored instead of causing the container to stop working. It's counter-intuitive (to me) that something stops working when SELinux gets disabled. Anyway, now that I know what the cause is, I've re-created my container and it's working fine. |
I just ran into this on Debian 12 ("bookworm"). I boot with
... and
So far so identical to this issue. Except that I don't have SELinux disabled! One additional detail is the kernel logging the message:
What I guess is going on is that Debian has not packaged Does that previous paragraph make sense, if so I'll file a bug with Debian. |
If you dont' have container-selinux installed SELinux separation will not work, and I don't believe that container-selinux will install without using fedora selinux-policy. So you would be best to remove /usr/share/containers/selinux/contexts and see if this works, if it blows up then you might need to just set all the fields in that file to "", and see if that works. Otherwise you should disable SELinux separation in the containers.conf file. |
Thanks for the input. Since The only remaining mystery is how I was ever able to use podman on this system... I guess labelling could have been disabled in the past, and then a package update changed the default to |
for everybody who might be wondering how to practically do that and where:
|
Instead you just want to create the following file:
See the man page [additional] Sorry Dan! But at least this way I can keep SELinux enabled overall on my system 😅 |
Which makes me cry. :^) |
Hold on a second. I just realised that refpolicy has its own I just built/installed, re-enabled container labelling, and Podman now works again! (Hopefully this will contribute to preservation of Dan's tears...) I don't know how refpolicy's module compares to container-selinux's module, but since it passed a smoke test I'll ask Debian to include it in |
@yrro - thank you for the work / discovery / post - you are a hero sir! With the impending demise of downstream RHEL based distributions, small organisations will have little choice but to switch to Debian + SELinux. I was so sad when I heard the news and tried to run a podman container on SELinux enabled Debian; tried to compile container-selinux but couldn't get it to work. This is the answer - my hat is of to thee good sir! |
Update: it does not seem to work when booting with Permission denied and no Issue described here |
What are the AVCs you are seeing, on the reference it cuts off the AVCs? |
@rhatdan - apologies, I didn't copy the log correctly and deleted the VPS afterwards... I have since tried to recreate the error multiple times, but it seems to have "worked itself out" somehow, despite following the exact same steps and having checked, double-checked etc. I spun up a new VPS 4 times in an attempt to recreate the error. I guess that means that Podman does now work with SELinux on on Debian 12,
UPDATE: according to a refpolicy developer conmon is confined if run from systemd or a specific selinux role. Apparently Debian with SELinux does not assign roles to (system)users automatically. I shall do some more testing and report back. |
I have a container that runs fails to start with
failed to mount shm ... : invalid argument
.The container used to start before.
Some info about the container:
It runs gogs: https://hub.docker.com/r/gogs/gogs.
One volume is mounted to an NFS folder. This is the
/data
volume, so probably not related to the error.The container gets started as the
root
user on aFedora 36
VM.The text was updated successfully, but these errors were encountered: