Error when attempting to start container "starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied" #10885
Description
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
When starting any container, root or rootless it spits this error:
Error: unable to start container "6828c256c663e4033c34cbcbca5a091be1d8015a3eabc3d158f08e0017c24cbc": container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied
Steps to reproduce the issue:
-
Pull any container from any registry, or build your own
-
Create the container
-
Start the container
Describe the results you received:
Error: unable to start container "6828c256c663e4033c34cbcbca5a091be1d8015a3eabc3d158f08e0017c24cbc": container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied
Describe the results you expected:
The container starting as normal
Additional information you deem important (e.g. issue happens only occasionally):
Output of podman version:
Version: 3.2.2
API Version: 3.2.2
Go Version: go1.16.5
Git Commit: d577c44e359f9f8284b38cf984f939b3020badc3
Built: Tue Jun 29 06:13:34 2021
OS/Arch: linux/amd64
Output of podman info --debug:
host:
arch: amd64
buildahVersion: 1.21.0
cgroupControllers: []
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: /usr/bin/conmon is owned by conmon 1:2.0.29-1
path: /usr/bin/conmon
version: 'conmon version 2.0.29, commit: 7e6de6678f6ed8a18661e1d5721b81ccee293b9b'
cpus: 4
distribution:
distribution: arch
version: unknown
eventLogger: journald
hostname: takarch-pc
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 10000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 10000
size: 65536
kernel: 5.12.14-arch1-1
linkmode: dynamic
memFree: 6470803456
memTotal: 16724402176
ociRuntime:
name: crun
package: /usr/bin/crun is owned by crun 0.20.1-1
path: /usr/bin/crun
version: |-
crun version 0.20.1
commit: 38271d1c8d9641a2cdc70acfa3dcb6996d124b3d
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /etc/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: /usr/bin/slirp4netns is owned by slirp4netns 1.1.11-1
version: |-
slirp4netns version 1.1.11
commit: 368e69ccc074628d17a9bb9a35b8f4b9f74db4c6
libslirp: 4.6.1
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.5.1
swapFree: 21474832384
swapTotal: 21474832384
uptime: 5h 38m 47.31s (Approximately 0.21 days)
registries: {}
store:
configFile: /home/takyon/.config/containers/storage.conf
containerStore:
number: 2
paused: 0
running: 0
stopped: 2
graphDriverName: overlay
graphOptions: {}
graphRoot: /home/takyon/.local/share/containers/storage
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 2
runRoot: /run/user/1000/containers
volumePath: /home/takyon/.local/share/containers/storage/volumes
version:
APIVersion: 3.2.2
Built: 1624911214
BuiltTime: Tue Jun 29 06:13:34 2021
GitCommit: d577c44e359f9f8284b38cf984f939b3020badc3
GoVersion: go1.16.5
OsArch: linux/amd64
Version: 3.2.2
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):
Physical