Error: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

[jxs]

Hi, I am getting this error with latest podman my podman info is:

~ sudo podman info                     
host:
  arch: amd64
  buildahVersion: 1.21.0
  cgroupControllers:
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.0.29-1
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: 7e6de6678f6ed8a18661e1d5721b81ccee293b9b'
  cpus: 12
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: ophion
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.10.45-1-lts
  linkmode: dynamic
  memFree: 7517126656
  memTotal: 8102539264
  ociRuntime:
    name: runc
    package: /usr/bin/runc is owned by runc 1.0.0rc95-1
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc95
      commit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7
      spec: 1.0.2-dev
      go: go1.16.4
      libseccomp: 2.5.1
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 7999582208
  swapTotal: 7999582208
  uptime: 9m 24.03s
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 0
    stopped: 2
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageStore:
    number: 15
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.2.1
  Built: 1623927305
  BuiltTime: Thu Jun 17 11:55:05 2021
  GitCommit: 152952fe6b18581615c3efd1fafef2d8142738e8
  GoVersion: go1.16.5
  OsArch: linux/amd64
  Version: 3.2.1

downgrading containers-common from 0.40.0-1 to 0.39.0-3 fixes the issue

thanks

[mheon]

@cevich Well, we have a report of this in the wild now.

@jxs Workaround for now is to use crun instead of runc as your OCI runtime. We're seeing this in our CI and are trying to chase down the exact cause.

[cevich]

Well, we have a report of this in the wild now.

Aye, s'pose it was eventually inevitable. For reference, this is being tracked in a containers-common issue (but affects both podman and buildah bud).

[captn3m0]

Thanks @mheon.

podman --runtime /usr/bin/crun run worked for me (after installing crun)

[rhatdan]

You can change this by default in /etc/containers/containers.conf

[Foxboron]

Arch maintainer here. Feel free to poke me to test patches and/or if we should add some workarounds.

Are we better off swapping runc for crun in our podman package going forward?

[rhatdan]

That is what we are doing in Fedora land. We think in the long run having a lighter weight OCI Runtime is a good thing. Also we hope to get newer "plugin" runtimes that use crun as a front end in the future. libkrun for example.

[kallisti5]

Just saw this on ArchLinux

docker build -t docker.io/haikuporter/haikuporter:1.2.5 .
STEP 1: FROM ubuntu:bionic
STEP 2: RUN ...
level=error msg="container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied"
: exit status 1
Error: error building at STEP "RUN ...": error while running runtime: exit status 1

podman version 3.2.1

[kallisti5]

switching to crun fixes it. To have a workaround documented in this ticket, how do you change the default runtime of podman to crun?

[jxs]

@kallisti5 :

You can change this by default in /etc/containers/containers.conf

see here

[cevich]

Closing this as the root cause issue has also been closed. To be clear, the fix is podman 2.3.1 (or later) plus either:

• Use crun
• Use runc 1.0.0 (released 23rd June)

[tsjk]

Closing this as the root cause issue has also been closed. To be clear, the fix is podman 2.3.1 (or later) plus either:

• Use crun
• Use runc 1.0.0 (released 23rd June)

I run podman 3.3.1 on Gentoo, and with runc 1.0.0 I stumbled on this same error. I installed crun 0.19.1 (latest in Gentoo), and the problem "went away".