0

我们正在尝试使用 podman 在 RHEL8 下以非 root 用户身份从 ubi8-init Image 运行容器。我们通过添加内核参数和检查版本来全局启用 cgroups 2:

cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1

$ podman -v
podman version 2.0.5

$ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.15.1
  cgroupVersion: v2

设置了 Subuid 和 subguid:

bob:100000:65536

由于权限问题,丑陋的解决方法:

Failed to create /user.slice/user-992.slice/session-371.scope/init.scope control group: Permission denied

$ chown -R 992 /sys/fs/cgroup/user.slice/user-992.slice/session-371.scope

现在我们可以运行容器并通过 exec /bin/bash 跳转到它。问题是,如果我们想使用 podman cp 将某些内容复制到容器中,则会出现以下错误:

opening file `/sys/fs/cgroup/cgroup.freeze` for writing: Permission denied

没有 chown 解决方法的命令的示例输出:

# Trying with --cgroup-manager=systemd
$ podman run --name=ubi-init-test --cgroup-manager=systemd -it --rm --systemd=true ubi8-init
Error: writing file `/sys/fs/cgroup/user.slice/user-992.slice/user@992.service/cgroup.subtree_control`: No such file or directory: OCI runtime command not found error


# Trying with --cgroup-manager=cgroupfs
$ podman run --name=ubi-init-test --cgroup-manager=cgroupfs -it --rm --systemd=true ubi8-init
systemd 239 (239-41.el8_3) running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux 8.3 (Ootpa)!

Set hostname to <b64ed4493a24>.
Initializing machine ID from random generator.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to create /init.scope control group: Permission denied
Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object, freezing.
Freezing execution.

一定是有什么完全错误的、配置错误的或有问题的。有没有人这样做或对我们遇到的问题有任何建议?

4

1 回答 1

1

试图解决类似的问题。我setsebool -P container_manage_cgroup true在为 cgroups v2 添加内核参数的基础上做了。但这没有帮助。然后我发现了这条评论https://bbs.archlinux.org/viewtopic.php?pid=1895705#p1895705并进一步移动--cgroup-manager=cgroupfs(使用podman unshare然后取消设置DBUS_SESSION_BUS_ADDRESS):

$ echo $DBUS_SESSION_BUS_ADDRESS
unix:path=/run/user/1000/bus
$ podman unshare
$ export DBUS_SESSION_BUS_ADDRESS=
$ podman run --name=ubi-init-test --cgroup-manager=cgroupfs -it --rm --systemd=true ubi8-init
systemd 239 (239-41.el8_3.1) running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)
Detected virtualization container-other.
Detected architecture x86-64.

Welcome to Red Hat Enterprise Linux 8.3 (Ootpa)!

Set hostname to <3caae9f73645>.
Initializing machine ID from random generator.
Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Couldn't move remaining userspace processes, ignoring: Input/output error
[  OK  ] Reached target Local File Systems.
[  OK  ] Listening on Journal Socket.
[  OK  ] Reached target Network is Online.
[  OK  ] Started Dispatch Password Requests to Console Directory Watch.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Reached target Slices.
         Starting Rebuild Journal Catalog...
[  OK  ] Started Forward Password Requests to Wall Directory Watch.
[  OK  ] Reached target Paths.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[  OK  ] Reached target Swap.
[  OK  ] Listening on Process Core Dump Socket.
[  OK  ] Listening on Journal Socket (/dev/log).
         Starting Journal Service...
         Starting Rebuild Dynamic Linker Cache...
         Starting Create System Users...
[  OK  ] Started Rebuild Journal Catalog.
[  OK  ] Started Create System Users.
[  OK  ] Started Rebuild Dynamic Linker Cache.
         Starting Update is Completed...
[  OK  ] Started Update is Completed.
[  OK  ] Started Journal Service.
         Starting Flush Journal to Persistent Storage...
[  OK  ] Started Flush Journal to Persistent Storage.
         Starting Create Volatile Files and Directories...
[  OK  ] Started Create Volatile Files and Directories.
         Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Reached target System Initialization.
[  OK  ] Started dnf makecache --timer.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Started Daily Cleanup of Temporary Directories.
[  OK  ] Reached target Timers.
[  OK  ] Reached target Basic System.
         Starting Permit User Sessions...
[  OK  ] Started D-Bus System Message Bus.
[  OK  ] Started Permit User Sessions.
[  OK  ] Reached target Multi-User System.
         Starting Update UTMP about System Runlevel Changes...
[  OK  ] Started Update UTMP about System Runlevel Changes.
于 2020-12-30T16:23:36.357 回答