error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied #11005
Description
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Failed to start container with runc.
Steps to reproduce the issue:
I have installed the latest release version runc.
podman run --runtime /usr/sbin/runc --cgroup-manager=cgroupfs --network=host --pid=host --ipc=host centos:8 ls -al /sys/fs/cgroup/memory/
Describe the results you received:
Error: container_linux.go:380: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied
Describe the results you expected:
Container can start successfully.
Additional information you deem important (e.g. issue happens only occasionally):
Output of podman version:
# podman -v
podman version 3.2.2
# runc -v
runc version 1.0.1
commit: v1.0.1-0-g4144b63817eb
spec: 1.0.2-dev
go: go1.16.5
libseccomp: 2.5.1
Output of podman info --debug:
host:
arch: amd64
buildahVersion: 1.21.0
cgroupControllers:
- cpuset
- cpu
- cpuacct
- blkio
- memory
- devices
- freezer
- net_cls
- perf_event
- net_prio
- hugetlb
- pids
cgroupManager: systemd
cgroupVersion: v1
conmon:
package: 'conmon: /usr/libexec/podman/conmon'
path: /usr/libexec/podman/conmon
version: 'conmon version 2.0.27, commit: '
cpus: 1
distribution:
distribution: ubuntu
version: "20.10"
eventLogger: journald
hostname: eefb2b2ee52b
idMappings:
gidmap: null
uidmap: null
kernel: 4.14.231-173.361.amzn2.x86_64
linkmode: dynamic
memFree: 190509056
memTotal: 1031061504
ociRuntime:
name: crun
package: 'crun: /usr/bin/crun'
path: /usr/bin/crun
version: |-
crun version 0.20.1.5-925d-dirty
commit: 0d42f1109fd73548f44b01b3e84d04a279e99d2e
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
remoteSocket:
path: /run/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 0
swapTotal: 0
uptime: 1131h 31m 43.37s (Approximately 47.12 days)
registries:
search:
- docker.io
- quay.io
store:
configFile: /etc/containers/storage.conf
containerStore:
number: 38
paused: 0
running: 1
stopped: 37
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev
graphRoot: /var/lib/containers/storage
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Using metacopy: "false"
imageStore:
number: 1
runRoot: /run/containers/storage
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 3.2.2
Built: 0
BuiltTime: Thu Jan 1 00:00:00 1970
GitCommit: ""
GoVersion: go1.14.7
OsArch: linux/amd64
Version: 3.2.2
Package info (e.g. output of rpm -q podman or apt list podman):
# apt list podman
Listing... Done
podman/unknown,now 100:3.2.2-1 amd64 [installed]
podman/unknown 100:3.2.2-1 arm64
podman/unknown 100:3.2.2-1 armhf
podman/unknown 100:3.2.2-1 s390x
Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)
Yes
Additional environment details (AWS, VirtualBox, physical, etc.):