-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
conmon permission denied when running podman #1132
Comments
Can you give us any more details about your system and how it was set up? Can you also show the output of this command?
|
Sure, the system is quite "vanilla" as it's pretty much just a container host with the following butane file: variant: fcos
version: 1.3.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-ed25519 ...
storage:
files:
- path: /etc/hostname
mode: 0644
contents:
inline: earth
- path: /etc/NetworkManager/system-connections/Wired Connection 1.nmconnection
mode: 0600
contents:
inline: |
[connection]
id=Wired connection 1
type=ethernet
interface-name=ens3
[ipv4]
method=auto
[ipv6]
addr-gen-mode=stable-privacy
address1=...
method=auto It was installed using the following embedded butane/ignition config which chainloaded the above in the installation process: variant: fcos
version: 1.3.0
systemd:
units:
- name: install.service
enabled: true
contents: |
[Unit]
Description=Run CoreOS Installer
Requires=coreos-installer-pre.target
After=coreos-installer-pre.target
OnFailure=emergency.target
OnFailureJobMode=replace-irreversibly
[Service]
Type=oneshot
ExecStart=/usr/bin/coreos-installer install -i /var/setup.ign /dev/sda
ExecStart=/usr/bin/systemctl --no-block reboot
StandardOutput=kmsg+console
StandardError=kmsg+console
[Install]
RequiredBy=default.target
storage:
files:
- path: /var/setup.ign
mode: 0644
contents:
compression: null
local: example.ign The following however seems to indicate a modified selinux policy? This is however on the rollbacked (i.e., working version). There's a
Nor did I manage to actually get some more specific diffs of the selinux policy. These are the current deployments:
These are packages I layered after the butane/ignition default install:
I don't recall changing anything in |
Yes odd. If you didn't explicitly change the SELinux policy then maybe something else did? Either way you can get back to the defaults using the workaround at the bottom of #701 (comment) and then re-attempt your upgrade. - you'd want to verify before and after that the |
Hm, the Flatpak package definitely did but nothing too weird, these are diffs of the non-binary files: # diff -a /usr/etc/selinux/targeted/active/commit_num /etc/selinux/targeted/active/commit_num
1c1
< 8
\ No newline at end of file
---
> 9
\ No newline at end of file
# diff -a /usr/etc/selinux/targeted/active/file_contexts /etc/selinux/targeted/active/file_contexts
6256a6257
> /usr/libexec/flatpak-system-helper -- system_u:object_r:flatpak_helper_exec_t:s0 however this is odd in itself, since the currently active deployment doesn't layer I've now tried to search in vain -- how do I "unrollback", i.e., boot to the newer version in order to test the workaround? |
hmm. If I install The best option I can think of for now retrying the upgrade is:
|
Hm, I've now simply removed all layered packages & upgraded to the latest version, still the same issue (but I didn't revert the selinux policies yet). Interestingly, the # diff -a /usr/etc/selinux/targeted/active/file_contexts /etc/selinux/targeted/active/file_contexts
1385a1386
> /var/lib/kublet(/.*)? system_u:object_r:container_var_lib_t:s0
1619d1619
< /var/lib/kubelet(/.*)? system_u:object_r:container_var_lib_t:s0
3973d3972
< /usr/bin/conmon -- system_u:object_r:conmon_exec_t:s0
5040d5038
< /usr/local/bin/conmon -- system_u:object_r:conmon_exec_t:s0
6258a6257
> /usr/libexec/flatpak-system-helper -- system_u:object_r:flatpak_helper_exec_t:s0 After that I reverted the SE Linux policies as advised by you, rebooted, and indeed now everything seems to work again! Thank you very much for your help and pointers, they were invaluable! For me the issue is fixed but if you are interested in tracking down the root cause, I'll try to help as best I can. Thanks a bunch! |
Thanks for letting us know! I'll close this one out and look out if more people report the same. |
@dustymabe do you think this poseidon/typhoon#1142 is related? |
Maybe more closer to #1138 ? |
I'm on Silverblue 36 and can't enter
Although on a separate laptop with the same version of everything,
while the working one only shows:
Do you mean running |
yes, and reboot |
Reference doc for SELinux policy update issues (applies to all rpm-ostree based OS): https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/#_selinux_problems |
So, foolishly when the Also running the command from the docs leaves me unable to boot
|
Describe the bug
Very similar to #1089, running
podman
results in `"permission denied" by conmon.Reproduction steps
Steps to reproduce the behavior:
If yo run an arbitrary container image you get:
I also noticed that contrary to #1089
podman images
does not produce an error.System details
Additional information
Journal:
Confirmed this can be "fixed" by rolling back to the previous release from the first of March (35.20220213.3.0):
The text was updated successfully, but these errors were encountered: