[pkg-go] Bug#1011066: podman fails to run with runc due to a seccomp error

Francois Gouget fgouget at free.fr
Mon May 16 14:38:12 BST 2022 

Package: podman
Version: 3.0.1+dfsg1-3+deb11u1
Severity: normal

Dear Maintainer,

In Debian 11 podman depends on either crun or runc. However installing
t with runc (which docker also depends on), results in an unusable
configuration:

# podman run --rm -it debian:latest
Error: container_linux.go:367: starting container process caused: error adding seccomp filter rule for syscall bdflush: permission denied: OCI permission denied

This error prevents 'podman run' from working, both when started from a
regular account and when started as root.

A fix is to install crun (and optionally uninstall runc).
So either podman should be made to work with runc, or it should not
accept runc as an alternative to crun.


-- System Information:
Debian Release: 11.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-10-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages podman depends on:
ii  conmon                           2.0.25+ds1-1.1
ii  containernetworking-plugins      0.9.0-1+b6
ii  golang-github-containers-common  0.33.4+ds1-1+deb11u1
ii  init-system-helpers              1.60
ii  iptables                         1.8.7-1
ii  libc6                            2.31-13+deb11u3
ii  libdevmapper1.02.1               2:1.02.175-2.1
ii  libgpgme11                       1.14.0-1+b2
ii  libseccomp2                      2.5.1-1+deb11u1
ii  runc                             1.0.0~rc93+ds1-5+b2

Versions of packages podman recommends:
ii  buildah                                           1.19.6+dfsg1-1+b6
ii  fuse-overlayfs                                    1.4.0-1
ii  golang-github-containernetworking-plugin-dnsname  1.1.1+ds1-4+b7
ii  slirp4netns                                       1.0.1-2
ii  tini                                              0.19.0-1
ii  uidmap                                            1:4.8.1-1

Versions of packages podman suggests:
pn  containers-storage  <none>
pn  docker-compose      <none>

-- Configuration Files:
/etc/cni/net.d/87-podman-ptp.conflist [Errno 13] Permission non accordée: '/etc/cni/net.d/87-podman-ptp.conflist'

-- no debconf information

More information about the Pkg-go-maintainers mailing list