Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1575027 - Cannot start exited container if disabled : false for oci-register-machine
Summary: Cannot start exited container if disabled : false for oci-register-machine
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: podman
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Brent Baude
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-04 14:57 UTC by aalba6675
Modified: 2018-07-03 14:11 UTC (History)
3 users (show)

Fixed In Version: podman-0.6.4-1.gitd5beb2f.fc28 podman-0.6.4-1.gitd5beb2f.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-28 14:08:43 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description aalba6675 2018-05-04 14:57:01 UTC
Description of problem:
podman cannot start an exited container if oci-register-machine is enabled

Version-Release number of selected component (if applicable):
podman-0.4.1-1.gitb51d327.fc28.x86_64

How reproducible:

Always
Steps to Reproduce:
0. cat /etc/oci-register-machine.conf 
# Disable oci-register-machine by setting the disabled field to true
disabled : false
1. podman run --detach --name alice_gold --entrypoint /sbin/init fedora:28
2. podman stop alice_gold
3. podman start alice_gold

Actual results:
unable to start container "e8686e0e54f1": container create failed: container_linux.go:348: st
arting container process caused "process_linux.go:402: container init caused \"process_linux.
go:385: running prestart hook 0 caused \\\"error running hook: exit status 1, stdout: , stder
r: \\\"\""           
: internal libpod error

Expected results:
container starts successfully

Additional info:
Set disable: true and it works

ausearch -m avc --start recent
----
time->Fri May  4 22:49:10 2018
type=AVC msg=audit(1525445350.985:629): avc:  denied  { syslog_read } for  pid=8930 comm="dmesg" scontext=system_u:system_r:container_t:s0:c282,c976 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
----
time->Fri May  4 22:49:10 2018
type=AVC msg=audit(1525445350.985:630): avc:  denied  { syslog_read } for  pid=8930 comm="dmesg" scontext=system_u:system_r:container_t:s0:c282,c976 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

# audit2allow -al


#============= container_t ==============
allow container_t kernel_t:system syslog_read;

#============= systemd_machined_t ==============
allow systemd_machined_t systemd_unit_file_t:service stop;

Comment 1 Daniel Walsh 2018-05-04 17:56:53 UTC
Any information in the journal?

Comment 2 aalba6675 2018-05-05 02:59:37 UTC
Enable register machine - encountered a different problem. Some podman actions kill the whole desktop session

1. Run container: podman run --name alice_gold --entrypoint /sbin/init fedora:28
2. Stop gracefully: podman stop alice_gold

3. Now start again

podman start alice_gold
or even
podman rm alice_gold

Wow - this can actually kill the whole Wayland desktop; in fact some random podman actions like podman rm kill the whole session. It's like something is confused between the real desktop user session and the podman session.

This killed Wayland and sent me back to gdm. In a root console session, this can happen to and dump me back to the login prompt.

These session deaths don't happen if register machine is off


May 05 10:48:59 localhost.localdomain oci-register-machine[11004]: 2018/05/05 10:48:59 Register machine: poststop 330018251ce5deafe9480f2d17885a4636c>
May 05 10:48:59 localhost.localdomain systemd[1]: Stopping User Manager for UID 1050...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - GNOME Online Accounts monitor...
May 05 10:48:59 localhost.localdomain systemd[3258]: dbus.service: Failed to kill control group /user.slice/user-1050.slice/user/dbus.se>
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping D-Bus User Message Bus...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - digital camera monitor...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Tracker metadata database store and lookup manager...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped target Default.
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Evolution address book service...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem metadata service...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping sandboxed app permission store...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Sound Service...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - Media Transfer Protocol monitor...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Evolution source registry...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - Apple File Conduit monitor...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Virtual filesystem service - disk device monitor...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Accessibility services bus...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopping Evolution calendar service...
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped Virtual filesystem metadata service.
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped Virtual filesystem service - GNOME Online Accounts monitor.
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped Virtual filesystem service - Media Transfer Protocol monitor.
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped sandboxed app permission store.
May 05 10:48:59 localhost.localdomain systemd[3258]: Stopped Virtual filesystem service - digital camera monitor.
May 05 10:48:59 localhost.localdomain gnome-session[3287]: gnome-session-binary[3287]: WARNING: Lost name on bus: org.gnome.SessionManager
May 05 10:48:59 localhost.localdomain gnome-session-binary[3287]: WARNING: Lost name on bus: org.gnome.SessionManager

Comment 3 aalba6675 2018-05-05 03:01:46 UTC
oci-register-machine 

disable: false 

seems to be badly broken :(

Comment 4 Daniel Walsh 2018-05-06 10:50:38 UTC
Yes I saw the same thing.  A couple of problems I am seeing.  

The failure of the runing of oci-register-machine the second time is caused because for some reason, when you do a podman stop, it looks like runc is not calling the poststop branch of oci-register-machine to remove the enter in machinectl.  Then when you run podman start, oci-register-machine tries to register the container a second time, and fails to realize it is already registered.

If you then run the machine in permissive mode after the failure, runc does call the post install script.  This reveals a second problem in oci-register-machine's running, it is not running inside the containers cgroup, it is running in the users cgroup, and systemd tries to kill all processes in the users cgroup when it calls poststop.

For now we need to keep oci-register-machine disabled when running podman.  This is pretty broken, and oci-register-machine does not add much value at this time.

Comment 5 Fedora Update System 2018-06-22 21:19:15 UTC
podman-0.6.4-1.gitd5beb2f.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5142d70592

Comment 6 Fedora Update System 2018-06-22 21:19:33 UTC
podman-0.6.4-1.gitd5beb2f.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2b96ea9fec

Comment 7 Fedora Update System 2018-06-23 18:55:55 UTC
podman-0.6.4-1.gitd5beb2f.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5142d70592

Comment 8 Fedora Update System 2018-06-23 21:21:47 UTC
podman-0.6.4-1.gitd5beb2f.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2b96ea9fec

Comment 9 Fedora Update System 2018-06-28 14:08:43 UTC
podman-0.6.4-1.gitd5beb2f.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2018-07-03 14:11:04 UTC
podman-0.6.4-1.gitd5beb2f.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.