Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot start service: crun: open executable: Operation not permitted: OCI permission denied #22763

Closed
snakedye opened this issue May 20, 2024 · 2 comments
Closed

Cannot start service: crun: open executable: Operation not permitted: OCI permission denied #22763

snakedye opened this issue May 20, 2024 · 2 comments

Comments

@snakedye
Copy link

Issue Description

The service doesn't start because there isn't the permissions to execute the binary.

Steps to reproduce the issue

Steps to reproduce the issue
1.
2.
3.

Describe the results you received

Executing external compose provider "/usr/bin/docker-compose". Please refer to the documentation for details. <<<<

Creating bitcoind ... done
Creating lnd ... done
Creating server ...
Creating protected ... error
Creating server ... error
ERROR: for protected Cannot start service protected: crun: open executable: Operation not permitted: OCI permission denied

ERROR: for server Cannot start service server: crun: open executable: Operation not permitted: OCI permission denied

ERROR: for protected Cannot start service protected: crun: open executable: Operation not permitted: OCI permission denied

ERROR: for server Cannot start service server: crun: open executable: Operation not permitted: OCI permission denied
ERROR: Encountered errors while bringing up the project.
Error: executing /usr/bin/docker-compose up -d: exit status 1

Describe the results you expected

The first two severices use images I pull from docker.io, the other two I service I made. The last are the one who seem to fail because it can't run the executables.

podman info output

host:
  arch: amd64
  buildahVersion: 1.35.3
  cgroupControllers:
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.10-1.fc40.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: '
  cpuUtilization:
    idlePercent: 73.94
    systemPercent: 9.46
    userPercent: 16.61
  cpus: 8
  databaseBackend: boltdb
  distribution:
    distribution: fedora
    variant: workstation
    version: "40"
  eventLogger: journald
  freeLocks: 2027
  hostname: fedora
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.8.9-300.fc40.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 995950592
  memTotal: 10360008704
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.10.0-1.fc40.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.10.0
    package: netavark-1.10.3-3.fc40.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.10.3
  ociRuntime:
    name: crun
    package: crun-1.14.4-1.fc40.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.14.4
      commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20240510.g7288448-1.fc40.x86_64
    version: |
      pasta 0^20240510.g7288448-1.fc40.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 7189819392
  swapTotal: 8589930496
  uptime: 0h 31m 50.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
  - quay.io
store:
  configFile: /home/snakedye/.config/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 0
    stopped: 4
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/snakedye/.local/share/containers/storage
  graphRootAllocated: 510405902336
  graphRootUsed: 119447580672
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 43
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /home/snakedye/.local/share/containers/storage/volumes
version:
  APIVersion: 5.0.2
  Built: 1713312000
  BuiltTime: Tue Apr 16 20:00:00 2024
  GitCommit: ""
  GoVersion: go1.22.1
  Os: linux
  OsArch: linux/amd64
  Version: 5.0.2

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

System Details Report

Report details

  • Date generated: 2024-05-20 16:05:30

Hardware Information:

  • Hardware Model: ASUSTeK COMPUTER INC. ZenBook UX462DA
  • Memory: 12.0 GiB
  • Processor: AMD Ryzen™ 7 3700U with Radeon™ Vega Mobile Gfx × 8
  • Graphics: AMD Radeon™ Vega 10 Graphics
  • Disk Capacity: (null)

Software Information:

  • Firmware Version: UX462DA.307
  • OS Name: Fedora Linux 40 (Workstation Edition)
  • OS Build: (null)
  • OS Type: 64-bit
  • GNOME Version: 46
  • Windowing System: Wayland
  • Kernel Version: Linux 6.8.9-300.fc40.x86_64

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting
@snakedye snakedye added the kind/bug Categorizes issue or PR as related to a bug. label May 20, 2024
@edsantiago edsantiago removed the kind/bug Categorizes issue or PR as related to a bug. label May 20, 2024
@edsantiago
Copy link
Collaborator

Thank you for reporting this, but there really isn't anything for us to go on.

the other two I service I made. The last are the one who seem to fail

This kind of seems to maybe point toward a problem with the images you made? Maybe you didn't make the executables 755, or maybe there's a noexec filesystem, or many other possibilities. Regardless, this does not seem like a podman bug. If you can provide us with a reproducer, we'll be glad to look further.

@edsantiago edsantiago closed this as not planned Won't fix, can't repro, duplicate, stale May 20, 2024
@rhatdan
Copy link
Member

rhatdan commented May 21, 2024

Agreed, what happens when you try to execute the command directly? All Podman is doing is executing the command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@edsantiago @rhatdan @snakedye