You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After a system upgrade and newer versions, I can't run a container due to a pasta permission denied error. It is not the same as #22015 because it worked before system upgrade and the newest passt version.
I also downgraded the packages containers-common, libslirp0, podman and slirp4netns to its previous versions and rebooted, but it is still the same result. I am not really sure, if it is a podman issue or something with the others packages.
Steps to reproduce the issue
Steps to reproduce the issue podman run --rm docker.io/alpine:latest id -u nobody
Describe the results you received
Error: pasta failed with exit code 1:
Couldn't open network namespace /run/user/1000/netns/netns-e2cc072d-7de1-22e5-8d7c-6351e59b8308: Permission denied
Describe the results you expected
I expect the user id is printed: 65534.
podman run --network=none --rm docker.io/alpine:latest id -u nobody and podman run --network=slirp4netns --rm docker.io/alpine:latest id -u nobody work as expected and print the id.
podman info output
host:
arch: amd64buildahVersion: 1.35.4cgroupControllers:
- memory
- pidscgroupManager: cgroupfscgroupVersion: v2conmon:
package: conmon_100:2.1.11-1_amd64path: /usr/bin/conmonversion: 'conmon version 2.1.10, commit: e21e7c85b7637e622f21c57675bf1154fc8b1866'cpuUtilization:
idlePercent: 91.31systemPercent: 6.1userPercent: 2.59cpus: 2databaseBackend: boltdbdistribution:
codename: bullseyedistribution: debianversion: "11"eventLogger: filefreeLocks: 1983hostname: hostnameidMappings:
gidmap:
- container_id: 0host_id: 1000size: 1
- container_id: 1host_id: 100000size: 65536uidmap:
- container_id: 0host_id: 1000size: 1
- container_id: 1host_id: 100000size: 65536kernel: 5.10.0-29-amd64linkmode: dynamiclogDriver: k8s-filememFree: 8008523776memTotal: 8314707968networkBackend: netavarknetworkBackendInfo:
backend: netavarkdns:
package: Unknownpackage: podman-netavark_100:1.10.3-1_amd64path: /usr/libexec/podman/netavarkversion: netavark 1.10.3ociRuntime:
name: crunpackage: crun_100:1.15-1_amd64path: /usr/bin/crunversion: |- crun version 1.15 commit: e6eacaf4034e84185fd8780ac9262bbf57082278 rundir: /run/user/1000/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJLos: linuxpasta:
executable: /usr/bin/pastapackage: passt_100:0.0+20240510.72884484-1_amd64version: | pasta 0.0+20240510.72884484 Copyright Red Hat GNU General Public License, version 2 or later <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.remoteSocket:
exists: falsepath: /run/user/1000/podman/podman.socksecurity:
apparmorEnabled: falsecapabilities: CAP_AUDIT_WRITE,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_MKNOD,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOTrootless: trueseccompEnabled: trueseccompProfilePath: /usr/share/containers/seccomp.jsonselinuxEnabled: falseserviceIsRemote: falseslirp4netns:
executable: /usr/bin/slirp4netnspackage: slirp4netns_100:1.3.1-1_amd64version: |- slirp4netns version 1.3.1 commit: unknown libslirp: 4.8.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.1swapFree: 1023406080swapTotal: 1023406080uptime: 0h 0m 24.00svariant: ""plugins:
authorization: nulllog:
- k8s-file
- none
- passthroughnetwork:
- bridge
- macvlan
- ipvlanvolume:
- localregistries:
search:
- docker.io
- quay.iostore:
configFile: /home/user/.config/containers/storage.confcontainerStore:
number: 48paused: 0running: 0stopped: 48graphDriverName: overlaygraphOptions: {}graphRoot: /home/user/.local/share/containers/storagegraphRootAllocated: 131631591424graphRootUsed: 15701336064graphStatus:
Backing Filesystem: extfsNative Overlay Diff: "false"Supports d_type: "true"Supports shifting: "true"Supports volatile: "true"Using metacopy: "false"imageCopyTmpDir: /var/tmpimageStore:
number: 69runRoot: /run/user/1000/containerstransientStore: falsevolumePath: /home/user/.local/share/containers/storage/volumesversion:
APIVersion: 5.0.3Built: 0BuiltTime: Thu Jan 1 01:00:00 1970GitCommit: ""GoVersion: go1.22.3Os: linuxOsArch: linux/amd64Version: 5.0.3
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
It is a debian 11 virtual machine running with VirtualBox:
It is a issue with pasta (passt), most likely apparmor blocking access when you are on debian. You should check the audit.log to confirm. Or disable apparmor.
I don't know how you installed this as debian stable doesn't ship these updates but please check the installed apparmor policy.
It is a issue with pasta (passt), most likely apparmor blocking access when you are on debian. You should check the audit.log to confirm. Or disable apparmor.
Yeah, there is a log in the journal: AVC apparmor="DENIED" operation="open" profile="passt" name="/run/user/1000/netns/netns-fc48cae4-8a15-67d8-f96d-f2e683d49dc5" pid=2292 comm="passt.avx2" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Thanks. Disable passt profile did it: apparmor_parser -R /etc/apparmor.d/usr.bin.passt
Or defining this rules in the usr.bin.passt profile did it as well:
@{run}/user/1000/** wr,
/dev/net/tun wr,
But I am not familiar with apparmor rules and if this are the most restricted and minimalist rules?!
I don't know how you installed this as debian stable doesn't ship these updates but please check the installed apparmor policy.
They are installed by another repository, where these versions come from.
You should check your installed profile. pasta ships a working profile upstream https://passt.top/passt/tree/contrib/apparmor/usr.bin.pasta so it is best to use that and if there are problems with that profile report them to the pasta maintainers.
Issue Description
After a system upgrade and newer versions, I can't run a container due to a pasta permission denied error. It is not the same as #22015 because it worked before system upgrade and the newest passt version.
The following packages were upgraded:
I also downgraded the packages
containers-common
,libslirp0
,podman
andslirp4netns
to its previous versions and rebooted, but it is still the same result. I am not really sure, if it is a podman issue or something with the others packages.Steps to reproduce the issue
Steps to reproduce the issue
podman run --rm docker.io/alpine:latest id -u nobody
Describe the results you received
Describe the results you expected
I expect the user id is printed:
65534
.podman run --network=none --rm docker.io/alpine:latest id -u nobody
andpodman run --network=slirp4netns --rm docker.io/alpine:latest id -u nobody
work as expected and print the id.podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
It is a debian 11 virtual machine running with VirtualBox:
But it does not work with debian 12 and the same versions as well.
Additional information
No response
The text was updated successfully, but these errors were encountered: