Comments (14)
rhatdan
commented on August 17, 2024
I would run in permissive mode and gather all of the AVC's and then attach them. I will add these rules, that you have found.
from container-selinux.
rhatdan
commented on August 17, 2024
@wrabcak PTAL. A lot of these should go into selinux-policy.
I would say that we should allow staff_t and User_t access to all user namespace capabilities.
$ sesearch -A -s staff_t -c cap_userns
allow staff_t staff_t:cap_userns { setpcap sys_admin sys_chroot };
Currently they are very limited.
from container-selinux.
rhatdan
commented on August 17, 2024
One issue is that your staff_t is logging in without being fully ranged.
Your process should be
staff_u:staff_r:staff_t:s0-s0:c0.c1024
But I believe it is only
staff_u:staff_r:staff_t:s0
I think that is why you are getting the transition error. We need container_runitme_t to be fully ranged.
from container-selinux.
rhatdan
commented on August 17, 2024
This rule
allow staff_t container_runtime_t:process { noatsecure rlimitinh siginh };
Should not be necessary, I believe
from container-selinux.
tt-why
commented on August 17, 2024
One issue is that your staff_t is logging in without being fully ranged.
Your process should be
staff_u:staff_r:staff_t:s0-s0:c0.c1024But I believe it is only
staff_u:staff_r:staff_t:s0
I think that is why you are getting the transition error. We need container_runitme_t to be fully ranged.
You were right ! I forgot to specify the complete range when confining my user in my kickstart...
So now i've that setup :
ps fauxZ|grep podman
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 46406 0.0 0.0 6132 908 pts/0 S+ 16:14 0:00 \_ grep --color=auto podman
staff_u:staff_r:container_runtime_t:s0-s0:c0.c1023 user 44947 0.0 0.1 63344 33472 ? S 16:13 0:00 podman
id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
I've rebooted to apply the range, restorecon my home folder and i did a podman system reset.
But the following simple command always fails podman run -it alpine:latest sh :
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob aad63a933944 done
Copying config a187dde48c done
Writing manifest to image destination
Storing signatures
{"msg":"exec container process `/bin/sh`: Permission denied","level":"error","time":"2020-03-30T14:13:45.000319123Z"}
avc: denied { transition } for pid=45145 comm=3 path=/bin/busybox dev="fuse" ino=33557878 scontext=staff_u:staff_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c313,c821 tclass=process permissive=0
Any idea ?
from container-selinux.
wrabcak
commented on August 17, 2024
@wrabcak PTAL. A lot of these should go into selinux-policy.
I would say that we should allow staff_t and User_t access to all user namespace capabilities.
$ sesearch -A -s staff_t -c cap_userns
allow staff_t staff_t:cap_userns { setpcap sys_admin sys_chroot };Currently they are very limited.
We can allow it for all except sys_ptrace. For that boolean we have specific deny_ptrace boolean.
FYI @zpytela
from container-selinux.
rhatdan
commented on August 17, 2024
SO the problem is staff_t:s0-s0:c0.10123 is transitioning to container_runtime_t:s0 when you execute podman, I forgot why the range is dropped...
cat > p.sh << _EOF
#!/bin/sh
id -Z
_eof
chmod +x p.sh
chcon -t container_runtime_exec_t p.sh
./p.sh
from container-selinux.
tt-why
commented on August 17, 2024
SO the problem is staff_t:s0-s0:c0.10123 is transitioning to container_runtime_t:s0 when you execute podman, I forgot why the range is dropped...
cat > p.sh << _EOF #!/bin/sh id -Z _eof chmod +x p.sh chcon -t container_runtime_exec_t p.sh ./p.sh
I've tried your script but it didn't transition to another domain unless i did a semanage -a permissive staff_t ...
Here is the avc (when staff_t=permissive) :
type=AVC msg=audit(03/31/2020 11:00:03.786:426) : avc: denied { nosuid_transition } for pid=89233 comm=bash scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:container_runtime_t:s0-s0:c0.c1023 tclass=process2 permissive=1
But i see that in normal podman use case that you have authorized that :
container-selinux/container.te
Line 42 in f00d1f4
Here is is ps fauxZ of a successful podman run -it alpine:latest sh :
staff_u:staff_r:staff_t:s0-s0:c0.c1023 user 22915 0.0 0.0 7132 4072 pts/1 Ss 10:27 0:00 \_ /bin/bash
staff_u:staff_r:container_runtime_t:s0-s0:c0.c1023 user 53594 0.6 0.2 1051740 58568 pts/1 Sl+ 10:42 0:00 \_ podman run -it alpine:latest sh
staff_u:staff_r:container_runtime_t:s0-s0:c0.c1023 user 53613 0.0 0.0 4372 2716 pts/1 S 10:42 0:00 \_ /usr/bin/slirp4netns --disable-host-loopback --mtu 65520 -c -e 3 -r 4 --netns-type=path /run/user/1000/netns/cni-7041947e-a275-010d-8737-069223a5f763 tap0
staff_u:staff_r:container_runtime_t:s0-s0:c0.c1023 user 43784 0.0 0.1 63344 33404 ? S 10:38 0:00 podman
staff_u:staff_r:container_runtime_t:s0-s0:c0.c1023 user 53612 0.0 0.0 5040 2052 ? Ss 10:42 0:00 /usr/bin/fuse-overlayfs -o lowerdir=/home/user/.local/share/containers/storage/overlay/l/HV2BUSAOM5FKWFVRWZVWPAIRDC,upperdir=/home/user/.local/share/containers/storage/overlay/1018760c5eb4ef9c1f8c9701ce5b3f2cb6395189e173
staff_u:staff_r:container_runtime_t:s0 user 53616 0.0 0.0 80404 2156 ? Ssl 10:42 0:00 /usr/bin/conmon --api-version 1 -s -c cd7774b3904e8666a922ccf5a8d27a46e5256b92a150ed81d52b8b369f1f8b57 -u cd7774b3904e8666a922ccf5a8d27a46e5256b92a150ed81d52b8b369f1f8b57 -r /usr/bin/crun -b /home/user/.local/share/conta
system_u:system_r:container_t:s0:c245,c675 user 53620 0.0 0.0 1644 944 pts/0 Ss+ 10:42 0:00 \_ sh
I might be wrong but if it it is a drop range problem it seems (thank's to f option of ps) that conmon is the father of the sh command inside my container. But as we can see, it doesn't have any range applied to it :/
from container-selinux.
rhatdan
commented on August 17, 2024
If you add the nosuid_transition to the container runtime, does it work?
from container-selinux.
rhatdan
commented on August 17, 2024
Does your user have NoNewPrivs turned on?
grep No /proc/self/status
NoNewPrivs: 0
from container-selinux.
tt-why
commented on August 17, 2024
If you add the nosuid_transition to the container runtime, does it work?
The following avc was when i was running your specified p.sh i don't think it's the problem because it doesn't occur when using podman.
Does your user have NoNewPrivs turned on?
grep No /proc/self/status
NoNewPrivs: 0
Here is mine :
grep No /proc/self/status
NoNewPrivs: 0
The avc when running ** podman run -it alpine:latest sh** is still here and is not in the staff_t domain because staff_t is in permissive mode currently.
type=AVC msg=audit(03/31/2020 17:09:11.728:878) : avc: denied { transition } for pid=460003 comm=3 path=/bin/busybox dev="fuse" ino=33557878 scontext=staff_u:staff_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c461,c919 tclass=process permissive=0
from container-selinux.
smijolovic
commented on August 17, 2024
Same issue here for buildah. For compliance purposes, our development environment does not allow unconfined SELinux users. We use the staff SEUSER, and that is not working.
Our user:
uid=2100(rpmbuild) gid=2100(rpmbuild) groups=2100(rpmbuild),510(logs) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
Home mount in fstab:
/dev/mapper/chaasm-home /home xfs defaults 0 0
Home directory for rpmbuild:
drwx------. 19 rpmbuild rpmbuild staff_u:object_r:user_home_dir_t:s0 4096 Apr 20 21:31 rpmbuild
more /etc/subuid
rpmbuild:100000:65536
more /etc/subgid
rpmbuild:100000:65536
When trying to build a flannel image in buildah using either the dockerfile or converting it to a buildah script, it fails when SELinux is in enforced mode.
Both are able to pull the alpine image (after building an SELinux policy) but can not run the image and then it fails.
With buildah bud...
$BUILDAH_ISOLATION=rootless buildah bud -t 0.12.0-amd64 -f $BUILD_FLANNEL/src/github.com/coreos/flannel/Dockerfile.amd64 --log-level=debug .
DEBU running [buildah-in-a-user-namespace bud -t v0.12.0-amd64 -f /home/rpmbuild/nimbus8/flannel-build/src/github.com/coreos/flannel/Dockerfile.amd64 --log-level=debug .] with environment [BUILDAH_ISOLATION=rootless LS_COLORS=rs=0:di=38;5;33:ln=38;5;51:mh=00:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=01;05;37;41:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;40:.tar=38;5;9:.tgz=38;5;9:.arc=38;5;9:.arj=38;5;9:.taz=38;5;9:.lha=38;5;9:.lz4=38;5;9:.lzh=38;5;9:.lzma=38;5;9:.tlz=38;5;9:.txz=38;5;9:.tzo=38;5;9:.t7z=38;5;9:.zip=38;5;9:.z=38;5;9:.dz=38;5;9:.gz=38;5;9:.lrz=38;5;9:.lz=38;5;9:.lzo=38;5;9:.xz=38;5;9:.zst=38;5;9:.tzst=38;5;9:.bz2=38;5;9:.bz=38;5;9:.tbz=38;5;9:.tbz2=38;5;9:.tz=38;5;9:.deb=38;5;9:.rpm=38;5;9:.jar=38;5;9:.war=38;5;9:.ear=38;5;9:.sar=38;5;9:.rar=38;5;9:.alz=38;5;9:.ace=38;5;9:.zoo=38;5;9:.cpio=38;5;9:.7z=38;5;9:.rz=38;5;9:.cab=38;5;9:.wim=38;5;9:.swm=38;5;9:.dwm=38;5;9:.esd=38;5;9:.jpg=38;5;13:.jpeg=38;5;13:.mjpg=38;5;13:.mjpeg=38;5;13:.gif=38;5;13:.bmp=38;5;13:.pbm=38;5;13:.pgm=38;5;13:.ppm=38;5;13:.tga=38;5;13:.xbm=38;5;13:.xpm=38;5;13:.tif=38;5;13:.tiff=38;5;13:.png=38;5;13:.svg=38;5;13:.svgz=38;5;13:.mng=38;5;13:.pcx=38;5;13:.mov=38;5;13:.mpg=38;5;13:.mpeg=38;5;13:.m2v=38;5;13:.mkv=38;5;13:.webm=38;5;13:.ogm=38;5;13:.mp4=38;5;13:.m4v=38;5;13:.mp4v=38;5;13:.vob=38;5;13:.qt=38;5;13:.nuv=38;5;13:.wmv=38;5;13:.asf=38;5;13:.rm=38;5;13:.rmvb=38;5;13:.flc=38;5;13:.avi=38;5;13:.fli=38;5;13:.flv=38;5;13:.gl=38;5;13:.dl=38;5;13:.xcf=38;5;13:.xwd=38;5;13:.yuv=38;5;13:.cgm=38;5;13:.emf=38;5;13:.ogv=38;5;13:.ogx=38;5;13:.aac=38;5;45:.au=38;5;45:.flac=38;5;45:.m4a=38;5;45:.mid=38;5;45:.midi=38;5;45:.mka=38;5;45:.mp3=38;5;45:.mpc=38;5;45:.ogg=38;5;45:.ra=38;5;45:.wav=38;5;45:.oga=38;5;45:.opus=38;5;45:.spx=38;5;45:*.xspf=38;5;45: SSH_CONNECTION=172.16.37.1 52280 172.16.37.187 22 LANG=en_US.UTF-8 HISTCONTROL=ignoredups HISTTIMEFORMAT=[ %FT%T ] HOSTNAME=localhost.localdomain OLDPWD=/home/rpmbuild/nimbus8/flannel-build/src/github.com/coreos XDG_SESSION_ID=25 USER=rpmbuild GOPATH=/home/rpmbuild/nimbus8/flannel-build SELINUX_ROLE_REQUESTED= PWD=/home/rpmbuild/nimbus8/flannel-build/src/github.com/coreos/flannel HOME=/home/rpmbuild SSH_CLIENT=172.16.37.1 52280 22 SELINUX_LEVEL_REQUESTED= TMPDIR=/home/rpmbuild/nimbus8/flannel-build/tmp SSH_TTY=/dev/pts/0 MAIL=/var/spool/mail/rpmbuild SHELL=/bin/bash TERM=xterm-256color SELINUX_USE_CURRENT_RANGE= TMOUT=600 SHLVL=2 LOGNAME=rpmbuild DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/2100/bus XDG_RUNTIME_DIR=/run/user/2100 PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/rpmbuild/.local/bin:/home/rpmbuild/bin:/usr/local/go14/bin:/usr/local/gotools/bin HISTSIZE=1000 LESSOPEN=||/usr/bin/lesspipe.sh %s _=/usr/bin/buildah _CONTAINERS_USERNS_CONFIGURED=1], UID map [{ContainerID:0 HostID:2100 Size:1} {ContainerID:1 HostID:100000 Size:65536}], and GID map [{ContainerID:0 HostID:2100 Size:1} {ContainerID:1 HostID:100000 Size:65536}]
WARN error running newuidmap: exit status 1: newuidmap: write to uid_map failed: Operation not permitted
WARN falling back to single mapping
DEBU Pull Policy for pull [PullIfNewer]
DEBU umask value too restrictive. Forcing it to 022
DEBU [graphdriver] trying provided driver "overlay"
DEBU overlay: mount_program=/usr/bin/fuse-overlayfs
DEBU overlay: mount_program=/usr/bin/fuse-overlayfs
DEBU backingFs=xfs, projectQuotaSupported=false, useNativeDiff=false, usingMetacopy=false
DEBU reading local Dockerfile "/home/rpmbuild/nimbus8/flannel-build/src/github.com/coreos/flannel/Dockerfile.amd64"
DEBU base: "alpine"
DEBU FROM "alpine"
STEP 1: FROM alpine
DEBU Loading registries configuration "/etc/containers/registries.conf"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]localhost/alpine:latest"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]localhost/alpine:latest"
DEBU reference "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]localhost/alpine:latest" does not resolve to an image ID
DEBU registry "localhost" is not listed in registries configuration "/etc/containers/registries.conf", assuming it's not blocked
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]localhost/alpine:latest"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]localhost/alpine:latest"
DEBU copying "docker://localhost/alpine:latest" to "localhost/alpine:latest"
DEBU Trying to access "localhost/alpine:latest"
DEBU Credentials not found
DEBU Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU Using "default-docker" configuration
DEBU No signature storage configuration found for localhost/alpine:latest
DEBU Looking for TLS certificates and private keys in /etc/docker/certs.d/localhost
DEBU GET https://localhost/v2/
DEBU Ping https://localhost/v2/ err Get "https://localhost/v2/": dial tcp [::1]:443: connect: connection refused (&url.Error{Op:"Get", URL:"https://localhost/v2/", Err:(*net.OpError)(0xc00038b090)})
DEBU GET https://localhost/v1/_ping
DEBU Ping https://localhost/v1/_ping err Get "https://localhost/v1/_ping": dial tcp [::1]:443: connect: connection refused (&url.Error{Op:"Get", URL:"https://localhost/v1/_ping", Err:(*net.OpError)(0xc00038b2c0)})
DEBU Accessing "localhost/alpine:latest" failed: error pinging docker registry localhost: Get "https://localhost/v2/": dial tcp [::1]:443: connect: connection refused
DEBU error copying src image ["docker://localhost/alpine:latest"] to dest image ["localhost/alpine:latest"] err: Error initializing source docker://localhost/alpine:latest: error pinging docker registry localhost: Get "https://localhost/v2/": dial tcp [::1]:443: connect: connection refused
DEBU error pulling image "docker://localhost/alpine:latest": Error initializing source docker://localhost/alpine:latest: error pinging docker registry localhost: Get "https://localhost/v2/": dial tcp [::1]:443: connect: connection refused
DEBU unable to pull and read image "localhost/alpine": Error initializing source docker://localhost/alpine:latest: error pinging docker registry localhost: Get "https://localhost/v2/": dial tcp [::1]:443: connect: connection refused
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.access.redhat.com/alpine:latest"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.access.redhat.com/alpine:latest"
DEBU reference "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.access.redhat.com/alpine:latest" does not resolve to an image ID
DEBU registry "registry.access.redhat.com" is not listed in registries configuration "/etc/containers/registries.conf", assuming it's not blocked
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.access.redhat.com/alpine:latest"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.access.redhat.com/alpine:latest"
DEBU copying "docker://registry.access.redhat.com/alpine:latest" to "registry.access.redhat.com/alpine:latest"
DEBU Trying to access "registry.access.redhat.com/alpine:latest"
DEBU Credentials not found
DEBU Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU Using "default-docker" configuration
DEBU No signature storage configuration found for registry.access.redhat.com/alpine:latest
DEBU Looking for TLS certificates and private keys in /etc/docker/certs.d/registry.access.redhat.com
DEBU GET https://registry.access.redhat.com/v2/
DEBU Ping https://registry.access.redhat.com/v2/ status 200
DEBU GET https://registry.access.redhat.com/v2/alpine/manifests/latest
DEBU Accessing "registry.access.redhat.com/alpine:latest" failed: Error reading manifest latest in registry.access.redhat.com/alpine: name unknown: Repo not found
DEBU error copying src image ["docker://registry.access.redhat.com/alpine:latest"] to dest image ["registry.access.redhat.com/alpine:latest"] err: Error initializing source docker://registry.access.redhat.com/alpine:latest: Error reading manifest latest in registry.access.redhat.com/alpine: name unknown: Repo not found
DEBU error pulling image "docker://registry.access.redhat.com/alpine:latest": Error initializing source docker://registry.access.redhat.com/alpine:latest: Error reading manifest latest in registry.access.redhat.com/alpine: name unknown: Repo not found
DEBU unable to pull and read image "registry.access.redhat.com/alpine": Error initializing source docker://registry.access.redhat.com/alpine:latest: Error reading manifest latest in registry.access.redhat.com/alpine: name unknown: Repo not found
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.fedoraproject.org/alpine:latest"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.fedoraproject.org/alpine:latest"
DEBU reference "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.fedoraproject.org/alpine:latest" does not resolve to an image ID
DEBU registry "registry.fedoraproject.org" is not listed in registries configuration "/etc/containers/registries.conf", assuming it's not blocked
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.fedoraproject.org/alpine:latest"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.fedoraproject.org/alpine:latest"
DEBU copying "docker://registry.fedoraproject.org/alpine:latest" to "registry.fedoraproject.org/alpine:latest"
DEBU Trying to access "registry.fedoraproject.org/alpine:latest"
DEBU Credentials not found
DEBU Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU Using "default-docker" configuration
DEBU No signature storage configuration found for registry.fedoraproject.org/alpine:latest
DEBU Looking for TLS certificates and private keys in /etc/docker/certs.d/registry.fedoraproject.org
DEBU GET https://registry.fedoraproject.org/v2/
DEBU Ping https://registry.fedoraproject.org/v2/ status 200
DEBU GET https://registry.fedoraproject.org/v2/alpine/manifests/latest
DEBU Accessing "registry.fedoraproject.org/alpine:latest" failed: Error reading manifest latest in registry.fedoraproject.org/alpine: manifest unknown: manifest unknown
DEBU error copying src image ["docker://registry.fedoraproject.org/alpine:latest"] to dest image ["registry.fedoraproject.org/alpine:latest"] err: Error initializing source docker://registry.fedoraproject.org/alpine:latest: Error reading manifest latest in registry.fedoraproject.org/alpine: manifest unknown: manifest unknown
DEBU error pulling image "docker://registry.fedoraproject.org/alpine:latest": Error initializing source docker://registry.fedoraproject.org/alpine:latest: Error reading manifest latest in registry.fedoraproject.org/alpine: manifest unknown: manifest unknown
DEBU unable to pull and read image "registry.fedoraproject.org/alpine": Error initializing source docker://registry.fedoraproject.org/alpine:latest: Error reading manifest latest in registry.fedoraproject.org/alpine: manifest unknown: manifest unknown
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.centos.org/alpine:latest"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.centos.org/alpine:latest"
DEBU reference "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.centos.org/alpine:latest" does not resolve to an image ID
DEBU registry "registry.centos.org" is not listed in registries configuration "/etc/containers/registries.conf", assuming it's not blocked
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.centos.org/alpine:latest"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]registry.centos.org/alpine:latest"
DEBU copying "docker://registry.centos.org/alpine:latest" to "registry.centos.org/alpine:latest"
DEBU Trying to access "registry.centos.org/alpine:latest"
DEBU Credentials not found
DEBU Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU Using "default-docker" configuration
DEBU No signature storage configuration found for registry.centos.org/alpine:latest
DEBU Looking for TLS certificates and private keys in /etc/docker/certs.d/registry.centos.org
DEBU GET https://registry.centos.org/v2/
DEBU Ping https://registry.centos.org/v2/ status 200
DEBU GET https://registry.centos.org/v2/alpine/manifests/latest
DEBU Accessing "registry.centos.org/alpine:latest" failed: Error reading manifest latest in registry.centos.org/alpine: manifest unknown: manifest unknown
DEBU error copying src image ["docker://registry.centos.org/alpine:latest"] to dest image ["registry.centos.org/alpine:latest"] err: Error initializing source docker://registry.centos.org/alpine:latest: Error reading manifest latest in registry.centos.org/alpine: manifest unknown: manifest unknown
DEBU error pulling image "docker://registry.centos.org/alpine:latest": Error initializing source docker://registry.centos.org/alpine:latest: Error reading manifest latest in registry.centos.org/alpine: manifest unknown: manifest unknown
DEBU unable to pull and read image "registry.centos.org/alpine": Error initializing source docker://registry.centos.org/alpine:latest: Error reading manifest latest in registry.centos.org/alpine: manifest unknown: manifest unknown
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest"
DEBU parsed reference into "[overlay@/home/rpmbuild/.local/share/containers/storage+/run/user/2100/containers:overlay.mount_program=/usr/bin/fuse-overlayfs,overlay.mount_program=/usr/bin/fuse-overlayfs]docker.io/library/alpine:latest"
DEBU Trying to access "docker.io/library/alpine:latest"
DEBU Credentials not found
DEBU Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU Using "default-docker" configuration
DEBU No signature storage configuration found for docker.io/library/alpine:latest
DEBU Looking for TLS certificates and private keys in /etc/docker/certs.d/docker.io
DEBU GET https://registry-1.docker.io/v2/
DEBU Ping https://registry-1.docker.io/v2/ status 401
DEBU GET https://auth.docker.io/token?scope=repository%3Alibrary%2Falpine%3Apull&service=registry.docker.io
DEBU GET https://registry-1.docker.io/v2/library/alpine/manifests/latest
DEBU GET https://registry-1.docker.io/v2/library/alpine/manifests/sha256:cb8a924afdf0229ef7515d9e5b3024e23b3eb03ddbba287f4a19c6ac90b8d221
DEBU Downloading /v2/library/alpine/blobs/sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72
DEBU GET https://registry-1.docker.io/v2/library/alpine/blobs/sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72
DEBU exporting opaque data as blob "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72"
DEBU overlay: mount_data=lowerdir=/home/rpmbuild/.local/share/containers/storage/overlay/l/NUADX6MH3DN5DXH3I6V2MPPIPA,upperdir=/home/rpmbuild/.local/share/containers/storage/overlay/ce5b1d66df78ad872500099dd7530d2d27f46a04a7a0c00c145a52838be1e3d9/diff,workdir=/home/rpmbuild/.local/share/containers/storage/overlay/ce5b1d66df78ad872500099dd7530d2d27f46a04a7a0c00c145a52838be1e3d9/work,context="system_u:object_r:container_file_t:s0:c618,c1006"
DEBU Container ID: 52afc2b14b987652c4468470c81a7af44c65a85dc4645ce3d8862b24216ae916
DEBU Parsed Step: {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] Command:label Args:[maintainer Tom Denham [email protected]] Flags:[] Attrs:map[] Message:LABEL maintainer "Tom Denham [email protected]" Original:LABEL maintainer="Tom Denham [email protected]"}
STEP 2: LABEL maintainer="Tom Denham [email protected]"
DEBU Parsed Step: {Env:[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] Command:env Args:[FLANNEL_ARCH amd64] Flags:[] Attrs:map[] Message:ENV FLANNEL_ARCH amd64 Original:ENV FLANNEL_ARCH=amd64}
STEP 3: ENV FLANNEL_ARCH=amd64
DEBU Parsed Step: {Env:[FLANNEL_ARCH=amd64 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin FLANNEL_ARCH=amd64] Command:run Args:[apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates] Flags:[] Attrs:map[] Message:RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates Original:RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates}
STEP 4: RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates
DEBU RUN imagebuilder.Run{Shell:true, Args:[]string{"apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates"}}, docker.Config{Hostname:"", Domainname:"", User:"", Memory:0, MemorySwap:0, MemoryReservation:0, KernelMemory:0, CPUShares:0, CPUSet:"", PortSpecs:[]string(nil), ExposedPorts:map[docker.Port]struct {}{}, PublishService:"", StopSignal:"", StopTimeout:0, Env:[]string{"FLANNEL_ARCH=amd64", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "", "FLANNEL_ARCH=amd64"}, Cmd:[]string{"/bin/sh"}, Shell:[]string{}, Healthcheck:(*docker.HealthConfig)(nil), DNS:[]string(nil), Image:"", Volumes:map[string]struct {}{}, VolumeDriver:"", WorkingDir:"", MacAddress:"", Entrypoint:[]string{}, SecurityOpts:[]string(nil), OnBuild:[]string{}, Mounts:[]docker.Mount(nil), Labels:map[string]string{"maintainer":"Tom Denham [email protected]"}, AttachStdin:false, AttachStdout:false, AttachStderr:false, ArgsEscaped:false, Tty:false, OpenStdin:false, StdinOnce:false, NetworkDisabled:false, VolumesFrom:""}
DEBU using "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972" to hold bundle data
DEBU Forcing use of an IPC namespace.
DEBU Forcing use of a PID namespace.
DEBU Forcing use of a user namespace.
DEBU Resources: &buildah.CommonBuildOptions{AddHost:[]string{}, CgroupParent:"", CPUPeriod:0x0, CPUQuota:0, CPUShares:0x0, CPUSetCPUs:"", CPUSetMems:"", HTTPProxy:true, Memory:0, DNSSearch:[]string{}, DNSServers:[]string{}, DNSOptions:[]string{}, MemorySwap:0, LabelOpts:[]string(nil), SeccompProfilePath:"/usr/share/containers/seccomp.json", ApparmorProfile:"", ShmSize:"65536k", Ulimit:[]string{}, Volumes:[]string{}}
DEBU stdio is a terminal, defaulting to using a terminal
DEBU ensuring working directory "/home/rpmbuild/.local/share/containers/storage/overlay/ce5b1d66df78ad872500099dd7530d2d27f46a04a7a0c00c145a52838be1e3d9/merged" exists
DEBU bind mounted "/home/rpmbuild/.local/share/containers/storage/overlay/ce5b1d66df78ad872500099dd7530d2d27f46a04a7a0c00c145a52838be1e3d9/merged" to "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972/mnt/rootfs"
DEBU bind mounted "/home/rpmbuild/.local/share/containers/storage/overlay-containers/52afc2b14b987652c4468470c81a7af44c65a85dc4645ce3d8862b24216ae916/userdata/run/secrets" to "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972/mnt/buildah-bind-target-6"
DEBU config = {"ociVersion":"1.0.1-dev","process":{"terminal":true,"user":{"uid":0,"gid":0},"args":["/bin/sh","-c","apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan \u0026\u0026 update-ca-certificates"],"env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","FLANNEL_ARCH=amd64","HOSTNAME="],"cwd":"/","capabilities":{"bounding":["CAP_CHOWN","CAP_SETPCAP","CAP_DAC_OVERRIDE","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_AUDIT_WRITE","CAP_FSETID","CAP_KILL","CAP_SETFCAP","CAP_SYS_CHROOT","CAP_FOWNER","CAP_SETGID","CAP_SETUID"],"effective":["CAP_CHOWN","CAP_SETPCAP","CAP_DAC_OVERRIDE","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_AUDIT_WRITE","CAP_FSETID","CAP_KILL","CAP_SETFCAP","CAP_SYS_CHROOT","CAP_FOWNER","CAP_SETGID","CAP_SETUID"],"inheritable":["CAP_CHOWN","CAP_SETPCAP","CAP_DAC_OVERRIDE","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_AUDIT_WRITE","CAP_FSETID","CAP_KILL","CAP_SETFCAP","CAP_SYS_CHROOT","CAP_FOWNER","CAP_SETGID","CAP_SETUID"],"permitted":["CAP_CHOWN","CAP_SETPCAP","CAP_DAC_OVERRIDE","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_AUDIT_WRITE","CAP_FSETID","CAP_KILL","CAP_SETFCAP","CAP_SYS_CHROOT","CAP_FOWNER","CAP_SETGID","CAP_SETUID"],"ambient":["CAP_CHOWN","CAP_SETPCAP","CAP_DAC_OVERRIDE","CAP_MKNOD","CAP_NET_BIND_SERVICE","CAP_NET_RAW","CAP_AUDIT_WRITE","CAP_FSETID","CAP_KILL","CAP_SETFCAP","CAP_SYS_CHROOT","CAP_FOWNER","CAP_SETGID","CAP_SETUID"]},"rlimits":[{"type":"RLIMIT_NOFILE","hard":1024,"soft":1024}],"selinuxLabel":"system_u:system_r:container_t:s0:c618,c1006"},"root":{"path":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972/mnt/rootfs"},"mounts":[{"destination":"/dev","type":"tmpfs","source":"/dev","options":["private","strictatime","noexec","nosuid","mode=755","size=65536k"]},{"destination":"/dev/mqueue","type":"mqueue","source":"mqueue","options":["private","nodev","noexec","nosuid"]},{"destination":"/dev/pts","type":"devpts","source":"pts","options":["private","noexec","nosuid","newinstance","ptmxmode=0666","mode=0620"]},{"destination":"/dev/shm","type":"tmpfs","source":"shm","options":["private","nodev","noexec","nosuid","mode=1777","size=65536k"]},{"destination":"/proc","type":"proc","source":"/proc","options":["private","nodev","noexec","nosuid"]},{"destination":"/sys","type":"bind","source":"/sys","options":["rbind","private","nodev","noexec","nosuid","ro"]},{"destination":"/run/secrets","type":"bind","source":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972/mnt/buildah-bind-target-6","options":["bind","rprivate"]},{"destination":"/etc/hosts","type":"bind","source":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972/hosts","options":["rbind"]},{"destination":"/etc/resolv.conf","type":"bind","source":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972/resolv.conf","options":["rbind"]},{"destination":"/run/.containerenv","type":"bind","source":"/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972/run/.containerenv","options":["rbind"]}],"linux":{"uidMappings":[{"containerID":0,"hostID":0,"size":1}],"gidMappings":[{"containerID":0,"hostID":0,"size":1},{"containerID":1,"hostID":1,"size":65536}],"namespaces":[{"type":"pid"},{"type":"ipc"},{"type":"mount"},{"type":"user"}],"seccomp":{"defaultAction":"SCMP_ACT_ERRNO","architectures":["SCMP_ARCH_X86_64","SCMP_ARCH_X86","SCMP_ARCH_X32"],"syscalls":[{"names":["accept"],"action":"SCMP_ACT_ALLOW"},{"names":["accept4"],"action":"SCMP_ACT_ALLOW"},{"names":["access"],"action":"SCMP_ACT_ALLOW"},{"names":["adjtimex"],"action":"SCMP_ACT_ALLOW"},{"names":["alarm"],"action":"SCMP_ACT_ALLOW"},{"names":["bind"],"action":"SCMP_ACT_ALLOW"},{"names":["brk"],"action":"SCMP_ACT_ALLOW"},{"names":["capget"],"action":"SCMP_ACT_ALLOW"},{"names":["capset"],"action":"SCMP_ACT_ALLOW"},{"names":["chdir"],"action":"SCMP_ACT_ALLOW"},{"names":["chmod"],"action":"SCMP_ACT_ALLOW"},{"names":["chown"],"action":"SCMP_ACT_ALLOW"},{"names":["chown32"],"action":"SCMP_ACT_ALLOW"},{"names":["clock_getres"],"action":"SCMP_ACT_ALLOW"},{"names":["clock_gettime"],"action":"SCMP_ACT_ALLOW"},{"names":["clock_nanosleep"],"action":"SCMP_ACT_ALLOW"},{"names":["close"],"action":"SCMP_ACT_ALLOW"},{"names":["connect"],"action":"SCMP_ACT_ALLOW"},{"names":["copy_file_range"],"action":"SCMP_ACT_ALLOW"},{"names":["creat"],"action":"SCMP_ACT_ALLOW"},{"names":["dup"],"action":"SCMP_ACT_ALLOW"},{"names":["dup2"],"action":"SCMP_ACT_ALLOW"},{"names":["dup3"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_create"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_create1"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_ctl"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_ctl_old"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_pwait"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_wait"],"action":"SCMP_ACT_ALLOW"},{"names":["epoll_wait_old"],"action":"SCMP_ACT_ALLOW"},{"names":["eventfd"],"action":"SCMP_ACT_ALLOW"},{"names":["eventfd2"],"action":"SCMP_ACT_ALLOW"},{"names":["execve"],"action":"SCMP_ACT_ALLOW"},{"names":["execveat"],"action":"SCMP_ACT_ALLOW"},{"names":["exit"],"action":"SCMP_ACT_ALLOW"},{"names":["exit_group"],"action":"SCMP_ACT_ALLOW"},{"names":["faccessat"],"action":"SCMP_ACT_ALLOW"},{"names":["fadvise64"],"action":"SCMP_ACT_ALLOW"},{"names":["fadvise64_64"],"action":"SCMP_ACT_ALLOW"},{"names":["fallocate"],"action":"SCMP_ACT_ALLOW"},{"names":["fanotify_mark"],"action":"SCMP_ACT_ALLOW"},{"names":["fchdir"],"action":"SCMP_ACT_ALLOW"},{"names":["fchmod"],"action":"SCMP_ACT_ALLOW"},{"names":["fchmodat"],"action":"SCMP_ACT_ALLOW"},{"names":["fchown"],"action":"SCMP_ACT_ALLOW"},{"names":["fchown32"],"action":"SCMP_ACT_ALLOW"},{"names":["fchownat"],"action":"SCMP_ACT_ALLOW"},{"names":["fcntl"],"action":"SCMP_ACT_ALLOW"},{"names":["fcntl64"],"action":"SCMP_ACT_ALLOW"},{"names":["fdatasync"],"action":"SCMP_ACT_ALLOW"},{"names":["fgetxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["flistxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["flock"],"action":"SCMP_ACT_ALLOW"},{"names":["fork"],"action":"SCMP_ACT_ALLOW"},{"names":["fremovexattr"],"action":"SCMP_ACT_ALLOW"},{"names":["fsetxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["fstat"],"action":"SCMP_ACT_ALLOW"},{"names":["fstat64"],"action":"SCMP_ACT_ALLOW"},{"names":["fstatat64"],"action":"SCMP_ACT_ALLOW"},{"names":["fstatfs"],"action":"SCMP_ACT_ALLOW"},{"names":["fstatfs64"],"action":"SCMP_ACT_ALLOW"},{"names":["fsync"],"action":"SCMP_ACT_ALLOW"},{"names":["ftruncate"],"action":"SCMP_ACT_ALLOW"},{"names":["ftruncate64"],"action":"SCMP_ACT_ALLOW"},{"names":["futex"],"action":"SCMP_ACT_ALLOW"},{"names":["futimesat"],"action":"SCMP_ACT_ALLOW"},{"names":["getcpu"],"action":"SCMP_ACT_ALLOW"},{"names":["getcwd"],"action":"SCMP_ACT_ALLOW"},{"names":["getdents"],"action":"SCMP_ACT_ALLOW"},{"names":["getdents64"],"action":"SCMP_ACT_ALLOW"},{"names":["getegid"],"action":"SCMP_ACT_ALLOW"},{"names":["getegid32"],"action":"SCMP_ACT_ALLOW"},{"names":["geteuid"],"action":"SCMP_ACT_ALLOW"},{"names":["geteuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getgid"],"action":"SCMP_ACT_ALLOW"},{"names":["getgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getgroups"],"action":"SCMP_ACT_ALLOW"},{"names":["getgroups32"],"action":"SCMP_ACT_ALLOW"},{"names":["getitimer"],"action":"SCMP_ACT_ALLOW"},{"names":["getpeername"],"action":"SCMP_ACT_ALLOW"},{"names":["getpgid"],"action":"SCMP_ACT_ALLOW"},{"names":["getpgrp"],"action":"SCMP_ACT_ALLOW"},{"names":["getpid"],"action":"SCMP_ACT_ALLOW"},{"names":["getppid"],"action":"SCMP_ACT_ALLOW"},{"names":["getpriority"],"action":"SCMP_ACT_ALLOW"},{"names":["getrandom"],"action":"SCMP_ACT_ALLOW"},{"names":["getresgid"],"action":"SCMP_ACT_ALLOW"},{"names":["getresgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getresuid"],"action":"SCMP_ACT_ALLOW"},{"names":["getresuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getrlimit"],"action":"SCMP_ACT_ALLOW"},{"names":["get_robust_list"],"action":"SCMP_ACT_ALLOW"},{"names":["getrusage"],"action":"SCMP_ACT_ALLOW"},{"names":["getsid"],"action":"SCMP_ACT_ALLOW"},{"names":["getsockname"],"action":"SCMP_ACT_ALLOW"},{"names":["getsockopt"],"action":"SCMP_ACT_ALLOW"},{"names":["get_thread_area"],"action":"SCMP_ACT_ALLOW"},{"names":["gettid"],"action":"SCMP_ACT_ALLOW"},{"names":["gettimeofday"],"action":"SCMP_ACT_ALLOW"},{"names":["getuid"],"action":"SCMP_ACT_ALLOW"},{"names":["getuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["getxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["inotify_add_watch"],"action":"SCMP_ACT_ALLOW"},{"names":["inotify_init"],"action":"SCMP_ACT_ALLOW"},{"names":["inotify_init1"],"action":"SCMP_ACT_ALLOW"},{"names":["inotify_rm_watch"],"action":"SCMP_ACT_ALLOW"},{"names":["io_cancel"],"action":"SCMP_ACT_ALLOW"},{"names":["ioctl"],"action":"SCMP_ACT_ALLOW"},{"names":["io_destroy"],"action":"SCMP_ACT_ALLOW"},{"names":["io_getevents"],"action":"SCMP_ACT_ALLOW"},{"names":["ioprio_get"],"action":"SCMP_ACT_ALLOW"},{"names":["ioprio_set"],"action":"SCMP_ACT_ALLOW"},{"names":["io_setup"],"action":"SCMP_ACT_ALLOW"},{"names":["io_submit"],"action":"SCMP_ACT_ALLOW"},{"names":["ipc"],"action":"SCMP_ACT_ALLOW"},{"names":["kill"],"action":"SCMP_ACT_ALLOW"},{"names":["lchown"],"action":"SCMP_ACT_ALLOW"},{"names":["lchown32"],"action":"SCMP_ACT_ALLOW"},{"names":["lgetxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["link"],"action":"SCMP_ACT_ALLOW"},{"names":["linkat"],"action":"SCMP_ACT_ALLOW"},{"names":["listen"],"action":"SCMP_ACT_ALLOW"},{"names":["listxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["llistxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["_llseek"],"action":"SCMP_ACT_ALLOW"},{"names":["lremovexattr"],"action":"SCMP_ACT_ALLOW"},{"names":["lseek"],"action":"SCMP_ACT_ALLOW"},{"names":["lsetxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["lstat"],"action":"SCMP_ACT_ALLOW"},{"names":["lstat64"],"action":"SCMP_ACT_ALLOW"},{"names":["madvise"],"action":"SCMP_ACT_ALLOW"},{"names":["memfd_create"],"action":"SCMP_ACT_ALLOW"},{"names":["mincore"],"action":"SCMP_ACT_ALLOW"},{"names":["mkdir"],"action":"SCMP_ACT_ALLOW"},{"names":["mkdirat"],"action":"SCMP_ACT_ALLOW"},{"names":["mknod"],"action":"SCMP_ACT_ALLOW"},{"names":["mknodat"],"action":"SCMP_ACT_ALLOW"},{"names":["mlock"],"action":"SCMP_ACT_ALLOW"},{"names":["mlock2"],"action":"SCMP_ACT_ALLOW"},{"names":["mlockall"],"action":"SCMP_ACT_ALLOW"},{"names":["mmap"],"action":"SCMP_ACT_ALLOW"},{"names":["mmap2"],"action":"SCMP_ACT_ALLOW"},{"names":["mprotect"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_getsetattr"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_notify"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_open"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_timedreceive"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_timedsend"],"action":"SCMP_ACT_ALLOW"},{"names":["mq_unlink"],"action":"SCMP_ACT_ALLOW"},{"names":["mremap"],"action":"SCMP_ACT_ALLOW"},{"names":["msgctl"],"action":"SCMP_ACT_ALLOW"},{"names":["msgget"],"action":"SCMP_ACT_ALLOW"},{"names":["msgrcv"],"action":"SCMP_ACT_ALLOW"},{"names":["msgsnd"],"action":"SCMP_ACT_ALLOW"},{"names":["msync"],"action":"SCMP_ACT_ALLOW"},{"names":["munlock"],"action":"SCMP_ACT_ALLOW"},{"names":["munlockall"],"action":"SCMP_ACT_ALLOW"},{"names":["munmap"],"action":"SCMP_ACT_ALLOW"},{"names":["nanosleep"],"action":"SCMP_ACT_ALLOW"},{"names":["newfstatat"],"action":"SCMP_ACT_ALLOW"},{"names":["_newselect"],"action":"SCMP_ACT_ALLOW"},{"names":["open"],"action":"SCMP_ACT_ALLOW"},{"names":["openat"],"action":"SCMP_ACT_ALLOW"},{"names":["pause"],"action":"SCMP_ACT_ALLOW"},{"names":["pipe"],"action":"SCMP_ACT_ALLOW"},{"names":["pipe2"],"action":"SCMP_ACT_ALLOW"},{"names":["poll"],"action":"SCMP_ACT_ALLOW"},{"names":["ppoll"],"action":"SCMP_ACT_ALLOW"},{"names":["prctl"],"action":"SCMP_ACT_ALLOW"},{"names":["pread64"],"action":"SCMP_ACT_ALLOW"},{"names":["preadv"],"action":"SCMP_ACT_ALLOW"},{"names":["preadv2"],"action":"SCMP_ACT_ALLOW"},{"names":["prlimit64"],"action":"SCMP_ACT_ALLOW"},{"names":["pselect6"],"action":"SCMP_ACT_ALLOW"},{"names":["pwrite64"],"action":"SCMP_ACT_ALLOW"},{"names":["pwritev"],"action":"SCMP_ACT_ALLOW"},{"names":["pwritev2"],"action":"SCMP_ACT_ALLOW"},{"names":["read"],"action":"SCMP_ACT_ALLOW"},{"names":["readahead"],"action":"SCMP_ACT_ALLOW"},{"names":["readlink"],"action":"SCMP_ACT_ALLOW"},{"names":["readlinkat"],"action":"SCMP_ACT_ALLOW"},{"names":["readv"],"action":"SCMP_ACT_ALLOW"},{"names":["recv"],"action":"SCMP_ACT_ALLOW"},{"names":["recvfrom"],"action":"SCMP_ACT_ALLOW"},{"names":["recvmmsg"],"action":"SCMP_ACT_ALLOW"},{"names":["recvmsg"],"action":"SCMP_ACT_ALLOW"},{"names":["remap_file_pages"],"action":"SCMP_ACT_ALLOW"},{"names":["removexattr"],"action":"SCMP_ACT_ALLOW"},{"names":["rename"],"action":"SCMP_ACT_ALLOW"},{"names":["renameat"],"action":"SCMP_ACT_ALLOW"},{"names":["renameat2"],"action":"SCMP_ACT_ALLOW"},{"names":["restart_syscall"],"action":"SCMP_ACT_ALLOW"},{"names":["rmdir"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigaction"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigpending"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigprocmask"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigqueueinfo"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigreturn"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigsuspend"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_sigtimedwait"],"action":"SCMP_ACT_ALLOW"},{"names":["rt_tgsigqueueinfo"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_getaffinity"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_getattr"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_getparam"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_get_priority_max"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_get_priority_min"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_getscheduler"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_rr_get_interval"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_setaffinity"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_setattr"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_setparam"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_setscheduler"],"action":"SCMP_ACT_ALLOW"},{"names":["sched_yield"],"action":"SCMP_ACT_ALLOW"},{"names":["seccomp"],"action":"SCMP_ACT_ALLOW"},{"names":["select"],"action":"SCMP_ACT_ALLOW"},{"names":["semctl"],"action":"SCMP_ACT_ALLOW"},{"names":["semget"],"action":"SCMP_ACT_ALLOW"},{"names":["semop"],"action":"SCMP_ACT_ALLOW"},{"names":["semtimedop"],"action":"SCMP_ACT_ALLOW"},{"names":["send"],"action":"SCMP_ACT_ALLOW"},{"names":["sendfile"],"action":"SCMP_ACT_ALLOW"},{"names":["sendfile64"],"action":"SCMP_ACT_ALLOW"},{"names":["sendmmsg"],"action":"SCMP_ACT_ALLOW"},{"names":["sendmsg"],"action":"SCMP_ACT_ALLOW"},{"names":["sendto"],"action":"SCMP_ACT_ALLOW"},{"names":["setfsgid"],"action":"SCMP_ACT_ALLOW"},{"names":["setfsgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setfsuid"],"action":"SCMP_ACT_ALLOW"},{"names":["setfsuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setgid"],"action":"SCMP_ACT_ALLOW"},{"names":["setgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setgroups"],"action":"SCMP_ACT_ALLOW"},{"names":["setgroups32"],"action":"SCMP_ACT_ALLOW"},{"names":["setitimer"],"action":"SCMP_ACT_ALLOW"},{"names":["setpgid"],"action":"SCMP_ACT_ALLOW"},{"names":["setpriority"],"action":"SCMP_ACT_ALLOW"},{"names":["setregid"],"action":"SCMP_ACT_ALLOW"},{"names":["setregid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setresgid"],"action":"SCMP_ACT_ALLOW"},{"names":["setresgid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setresuid"],"action":"SCMP_ACT_ALLOW"},{"names":["setresuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setreuid"],"action":"SCMP_ACT_ALLOW"},{"names":["setreuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setrlimit"],"action":"SCMP_ACT_ALLOW"},{"names":["set_robust_list"],"action":"SCMP_ACT_ALLOW"},{"names":["setsid"],"action":"SCMP_ACT_ALLOW"},{"names":["setsockopt"],"action":"SCMP_ACT_ALLOW"},{"names":["set_thread_area"],"action":"SCMP_ACT_ALLOW"},{"names":["set_tid_address"],"action":"SCMP_ACT_ALLOW"},{"names":["setuid"],"action":"SCMP_ACT_ALLOW"},{"names":["setuid32"],"action":"SCMP_ACT_ALLOW"},{"names":["setxattr"],"action":"SCMP_ACT_ALLOW"},{"names":["shmat"],"action":"SCMP_ACT_ALLOW"},{"names":["shmctl"],"action":"SCMP_ACT_ALLOW"},{"names":["shmdt"],"action":"SCMP_ACT_ALLOW"},{"names":["shmget"],"action":"SCMP_ACT_ALLOW"},{"names":["shutdown"],"action":"SCMP_ACT_ALLOW"},{"names":["sigaltstack"],"action":"SCMP_ACT_ALLOW"},{"names":["signalfd"],"action":"SCMP_ACT_ALLOW"},{"names":["signalfd4"],"action":"SCMP_ACT_ALLOW"},{"names":["sigreturn"],"action":"SCMP_ACT_ALLOW"},{"names":["socket"],"action":"SCMP_ACT_ALLOW"},{"names":["socketcall"],"action":"SCMP_ACT_ALLOW"},{"names":["socketpair"],"action":"SCMP_ACT_ALLOW"},{"names":["splice"],"action":"SCMP_ACT_ALLOW"},{"names":["stat"],"action":"SCMP_ACT_ALLOW"},{"names":["stat64"],"action":"SCMP_ACT_ALLOW"},{"names":["statfs"],"action":"SCMP_ACT_ALLOW"},{"names":["statfs64"],"action":"SCMP_ACT_ALLOW"},{"names":["statx"],"action":"SCMP_ACT_ALLOW"},{"names":["symlink"],"action":"SCMP_ACT_ALLOW"},{"names":["symlinkat"],"action":"SCMP_ACT_ALLOW"},{"names":["sync"],"action":"SCMP_ACT_ALLOW"},{"names":["sync_file_range"],"action":"SCMP_ACT_ALLOW"},{"names":["syncfs"],"action":"SCMP_ACT_ALLOW"},{"names":["sysinfo"],"action":"SCMP_ACT_ALLOW"},{"names":["syslog"],"action":"SCMP_ACT_ALLOW"},{"names":["tee"],"action":"SCMP_ACT_ALLOW"},{"names":["tgkill"],"action":"SCMP_ACT_ALLOW"},{"names":["time"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_create"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_delete"],"action":"SCMP_ACT_ALLOW"},{"names":["timerfd_create"],"action":"SCMP_ACT_ALLOW"},{"names":["timerfd_gettime"],"action":"SCMP_ACT_ALLOW"},{"names":["timerfd_settime"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_getoverrun"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_gettime"],"action":"SCMP_ACT_ALLOW"},{"names":["timer_settime"],"action":"SCMP_ACT_ALLOW"},{"names":["times"],"action":"SCMP_ACT_ALLOW"},{"names":["tkill"],"action":"SCMP_ACT_ALLOW"},{"names":["truncate"],"action":"SCMP_ACT_ALLOW"},{"names":["truncate64"],"action":"SCMP_ACT_ALLOW"},{"names":["ugetrlimit"],"action":"SCMP_ACT_ALLOW"},{"names":["umask"],"action":"SCMP_ACT_ALLOW"},{"names":["uname"],"action":"SCMP_ACT_ALLOW"},{"names":["unlink"],"action":"SCMP_ACT_ALLOW"},{"names":["unlinkat"],"action":"SCMP_ACT_ALLOW"},{"names":["utime"],"action":"SCMP_ACT_ALLOW"},{"names":["utimensat"],"action":"SCMP_ACT_ALLOW"},{"names":["utimes"],"action":"SCMP_ACT_ALLOW"},{"names":["vfork"],"action":"SCMP_ACT_ALLOW"},{"names":["vmsplice"],"action":"SCMP_ACT_ALLOW"},{"names":["wait4"],"action":"SCMP_ACT_ALLOW"},{"names":["waitid"],"action":"SCMP_ACT_ALLOW"},{"names":["waitpid"],"action":"SCMP_ACT_ALLOW"},{"names":["write"],"action":"SCMP_ACT_ALLOW"},{"names":["writev"],"action":"SCMP_ACT_ALLOW"},{"names":["mount"],"action":"SCMP_ACT_ALLOW"},{"names":["umount2"],"action":"SCMP_ACT_ALLOW"},{"names":["reboot"],"action":"SCMP_ACT_ALLOW"},{"names":["name_to_handle_at"],"action":"SCMP_ACT_ALLOW"},{"names":["unshare"],"action":"SCMP_ACT_ALLOW"},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":0,"op":"SCMP_CMP_EQ"}]},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":8,"op":"SCMP_CMP_EQ"}]},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":131072,"op":"SCMP_CMP_EQ"}]},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":131080,"op":"SCMP_CMP_EQ"}]},{"names":["personality"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":4294967295,"op":"SCMP_CMP_EQ"}]},{"names":["arch_prctl"],"action":"SCMP_ACT_ALLOW"},{"names":["modify_ldt"],"action":"SCMP_ACT_ALLOW"},{"names":["clone"],"action":"SCMP_ACT_ALLOW","args":[{"index":0,"value":2080505856,"op":"SCMP_CMP_MASKED_EQ"}]},{"names":["chroot"],"action":"SCMP_ACT_ALLOW"}]},"maskedPaths":["/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware","/sys/fs/cgroup","/sys/fs/selinux"],"readonlyPaths":["/proc/asound","/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"mountLabel":"system_u:object_r:container_file_t:s0:c618,c1006"}}
DEBU Running ["runc" "create" "--bundle" "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972" "--pid-file" "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972/pid" "--no-new-keyring" "--console-socket" "/home/rpmbuild/nimbus8/flannel-build/tmp/buildah491815972/console.sock" "buildah-buildah491815972"]
DEBU Running ["runc" "start" "buildah-buildah491815972"]
DEBU socket descriptor is for "/dev/ptmx"
DEBU control messages: [{{20 1 1} [14 0 0 0]}]
DEBU fds: [14]
standard_init_linux.go:211: exec user process caused "permission denied"
DEBU error building at step {Env:[FLANNEL_ARCH=amd64 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin FLANNEL_ARCH=amd64] Command:run Args:[apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates] Flags:[] Attrs:map[] Message:RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates Original:RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates}: error while running runtime: exit status 1
error building at STEP "RUN apk add --no-cache iproute2 net-tools ca-certificates iptables strongswan && update-ca-certificates": error while running runtime: exit status 1
ERRO exit status 1
After converting to a buildah script - seeing the same issues:
$ buildah unshare ./flannel-amd64.sh
error running container: failed to read from slirp4netns sync pipe: EOF
error running container: failed to read from slirp4netns sync pipe: EOF
af3f31bd234d8816a1d57ea4145c968dcab2852bbe1a7ef5d4a9758caf4ee61f
914221d232f6e85366c93e1431f59a909b399900a7610f9489a2531b8878ea3a
Getting image source signatures
Copying blob beee9f30bc1f skipped: already exists
Copying blob ce7c2b534bf0 done
Copying config 97701edc27 done
Writing manifest to image destination
Storing signatures
97701edc27f4b095b7314cc994e2ad889b2705a4f93add6b2877d96187e8657c
When run as root or setenforce 0 is set - it builds the image just fine.
Version: 1.14.8
Go Version: go1.14.1
Image Spec: 1.0.1-dev
Runtime Spec: 1.0.1-dev
CNI Spec: 0.4.0
libcni Version:
image Version: 5.4.3
Git Commit:
Built: Sat Apr 18 00:14:37 2020
OS/Arch: linux/amd64
system storage.conf
[storage]
Default Storage Driver
driver = "overlay"
Temporary storage location
runroot = "/var/run/containers/storage"
Primary Read/Write location of container storage
graphroot = "/var/lib/containers/storage"
[storage.options]
Storage options to be passed to underlying storage drivers
AdditionalImageStores is used to pass paths to additional Read/Only image stores
Must be comma separated list.
additionalimagestores = [
]
Size is used to set a maximum size of the container image. Only supported by
certain container storage drivers.
size = ""
Path to an helper program to use for mounting the file system instead of mounting it
directly.
mount_program = "/usr/bin/fuse-overlayfs"
OverrideKernelCheck tells the driver to ignore kernel checks based on kernel version
override_kernel_check = "true"
mountopt specifies comma separated list of extra mount options
mountopt = "nodev,metacopy=on"
Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
a container, to UIDs/GIDs as they should appear outside of the container, and
the length of the range of UIDs/GIDs. Additional mapped sets can be listed
and will be heeded by libraries, but there are limits to the number of
mappings which the kernel will allow when you later attempt to run a
container.
remap-uids = 0:1668442479:65536
remap-gids = 0:1668442479:65536
Remap-User/Group is a name which can be used to look up one or more UID/GID
ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting
with an in-container ID of 0 and the a host-level ID taken from the lowest
range that matches the specified name, and using the length of that range.
Additional ranges are then assigned, using the ranges which specify the
lowest host-level IDs first, to the lowest not-yet-mapped container-level ID,
until all of the entries have been used for maps.
remap-user = "storage"
remap-group = "storage"
[storage.options.thinpool]
Storage Options for thinpool
autoextend_percent determines the amount by which pool needs to be
grown. This is specified in terms of % of pool size. So a value of 20 means
that when threshold is hit, pool will be grown by 20% of existing
pool size.
autoextend_percent = "20"
autoextend_threshold determines the pool extension threshold in terms
of percentage of pool size. For example, if threshold is 60, that means when
pool is 60% full, threshold has been hit.
autoextend_threshold = "80"
basesize specifies the size to use when creating the base device, which
limits the size of images and containers.
basesize = "10G"
blocksize specifies a custom blocksize to use for the thin pool.
blocksize="64k"
directlvm_device specifies a custom block storage device to use for the
thin pool. Required if you setup devicemapper.
directlvm_device = ""
directlvm_device_force wipes device even if device already has a filesystem.
directlvm_device_force = "True"
fs specifies the filesystem type to use for the base device.
fs="xfs"
log_level sets the log level of devicemapper.
0: LogLevelSuppress 0 (Default)
2: LogLevelFatal
3: LogLevelErr
4: LogLevelWarn
5: LogLevelNotice
6: LogLevelInfo
7: LogLevelDebug
log_level = "7"
min_free_space specifies the min free space percent in a thin pool require for
new device creation to succeed. Valid values are from 0% - 99%.
Value 0% disables
min_free_space = "10%"
mkfsarg specifies extra mkfs arguments to be used when creating the base.
device.
mkfsarg = ""
use_deferred_removal marks devicemapper block device for deferred removal.
If the thinpool is in use when the driver attempts to remove it, the driver
tells the kernel to remove it as soon as possible. Note this does not free
up the disk space, use deferred deletion to fully remove the thinpool.
use_deferred_removal = "True"
use_deferred_deletion marks thinpool device for deferred deletion.
If the device is busy when the driver attempts to delete it, the driver
will attempt to delete device every 30 seconds until successful.
If the program using the driver exits, the driver will continue attempting
to cleanup the next time the driver is used. Deferred deletion permanently
deletes the device and all data stored in device will be lost.
use_deferred_deletion = "True"
xfs_nospace_max_retries specifies the maximum number of retries XFS should
attempt to complete IO when ENOSPC (no space) error is returned by
underlying storage device.
xfs_nospace_max_retries = "0"
If specified, use OSTree to deduplicate files with the overlay backend
ostree_repo = ""
Set to skip a PRIVATE bind mount on the storage home directory. Only supported by
certain container storage drivers
skip_mount_home = "false"
rpmbuild storage.conf:
[storage]
driver = "overlay"
runroot = "/run/user/2100/containers"
graphroot = "/home/rpmbuild/.local/share/containers/storage"
[storage.options]
size = ""
remap-uids = ""
remap-gids = ""
ignore_chown_errors = ""
remap-user = ""
remap-group = ""
skip_mount_home = ""
mount_program = "/usr/bin/fuse-overlayfs"
mountopt = ""
[storage.options.aufs]
mountopt = ""
[storage.options.btrfs]
min_space = ""
size = ""
[storage.options.thinpool]
autoextend_percent = ""
autoextend_threshold = ""
basesize = ""
blocksize = ""
directlvm_device = ""
directlvm_device_force = ""
fs = ""
log_level = ""
min_free_space = ""
mkfsarg = ""
mountopt = ""
size = ""
use_deferred_deletion = ""
use_deferred_removal = ""
xfs_nospace_max_retries = ""
[storage.options.overlay]
ignore_chown_errors = ""
mountopt = ""
mount_program = ""
size = ""
skip_mount_home = ""
[storage.options.vfs]
ignore_chown_errors = ""
[storage.options.zfs]
mountopt = ""
fsname = ""
size = ""
Started to build a SELinux policy to address this - but AVCs stop showing up even with semodule -DB. That's quite frustrating when nothing is indicating what policies are missing. This allowed me to get the alpine image to show up in buildah. The process transition keeps showing up after I run the buildah commands, so I think that is a bit more complex. What I have so far:
policy_module(buildah, 1.0.0)
########################################
Declarations
type container_file_t;
type container_runtime_t;
type container_t;
type staff_t;
########################################
buildah local policy
#============= container_runtime_t ==============
allow container_runtime_t container_t:process transition;
#============= staff_t ==============
allow staff_t container_file_t:chr_file { ioctl read write };
allow staff_t container_file_t:dir relabelto;
allow staff_t container_file_t:file relabelto;
allow staff_t self:cap_userns { chown dac_override dac_read_search fowner fsetid setgid setuid };
files_mounton_rootfs(staff_t)
fs_mount_fusefs(staff_t)
fs_unmount_fusefs(staff_t)
fs_unmount_xattr_fs(staff_t)
FYI - this also affects podman as well. It will not run at all as the staff SEUSER with SELinux enabled...it just hangs. Have a sneaky suspicion the newuid/newgid mapping are also related.
Works as root and as regular user with SElinux disabled.
from container-selinux.
rhatdan
commented on August 17, 2024
I believe this works now.
from container-selinux.
laolux
commented on August 17, 2024
@rhatdan sorry if I just don't understand the solution, but I cannot run containers as staff_u
Whenever I try to run a container, I get ype=AVC msg=audit(1623763861.316:852): avc: denied { transition } for pid=3641 comm="3" path="/usr/bin/bash" dev="overlay" ino=4582721 scontext=staff_u:staff_r:container_runtime_t:s0 tcontext=system_u:system_r:container_t:s0:c363,c421 tclass=process permissive=0
My teststaff user is SELinux user staff_u and has MLS/MCS Range s0-s0:c0.c1023
My OS is Fedora 34, podman is 3.2.1 and container-selinux version is 2.163.0
semanage permissive -d container_runtime_t permits me to run containers and I only get the avc denial I listed above, albeit with permissive=1.
What am I doing wrong?
from container-selinux.
Related Issues (20)
- SELinux blocks ansible from doing DNF updates with the nsenter connection plugin HOT 8
- Branch protection for main branch HOT 3
- gating tests? HOT 2
- iptables-restore cannot read file from inside a container HOT 6
- allow user_u to work with containers HOT 8
- Packit: Use packit for bumping official fedora package HOT 1
- CI: check for long-running relabels HOT 1
- [packit] Propose downstream failed for release v2.213.0 HOT 3
- Issues on Fedora (container-selinux-2.211.1) with container_domain_template HOT 5
- Issue on RHEL with iscsiadm on v2.205 HOT 4
- user_namespace { create } rule not working HOT 11
- Concern with use of dac_override in home_container.cil HOT 3
- `avc: denied { shutdown }` when using socket activation with rootless podman quadlet HOT 3
- dri_device_t cannot be accessed correctly by pods using device plugins. HOT 12
- Add support for `rpm --verify` HOT 2
- container_init_t does not possess ptrace process context HOT 13
- CRI-O CI broken due to SELinux AVC Denials with latest runc (main branch) build HOT 20
- systemd crashes while attempting to start under container_user_r role HOT 11
- /etc/kubernetes filetrans? HOT 1
- container_user_u issues related to `podmansh` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from container-selinux.