summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-05-12 14:39:30 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2020-05-19 15:34:45 -0400
commite0a0d2fb0740d8695b423c22194edc6ef861b8ae (patch)
tree8bdc16e2d4e78bf3284c313c4f2fe7d5628e1c72
parent0f8ad039235137d086b9fea33bb74b362e625cdd (diff)
downloadpodman-e0a0d2fb0740d8695b423c22194edc6ef861b8ae.tar.gz
podman-e0a0d2fb0740d8695b423c22194edc6ef861b8ae.tar.bz2
podman-e0a0d2fb0740d8695b423c22194edc6ef861b8ae.zip
Update troubleshoot page
Add information about podman with SELinux and using container_init_t. Add informantion about Centos7 as well as RHEL7 init containers not working on a cgroups V2 system. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r--troubleshooting.md34
1 files changed, 25 insertions, 9 deletions
diff --git a/troubleshooting.md b/troubleshooting.md
index f04d9e9fa..167ee14c3 100644
--- a/troubleshooting.md
+++ b/troubleshooting.md
@@ -219,8 +219,15 @@ the system.
#### Solution
-SELinux provides a boolean `container_manage_cgroup`, which allows container
-processes to write to the cgroup file system. Turn on this boolean, on SELinux separated systems, to allow systemd to run properly in the container.
+Newer versions of Podman (2.0 or greater) support running init based containers
+with a different SELinux labels, which allow the container process access to the
+cgroup file system. This feature requires container-selinux-2.132 or newer
+versions.
+
+Prior to Podman 2.0, the SELinux boolean `container_manage_cgroup` allows
+container processes to write to the cgroup file system. Turn on this boolean,
+on SELinux separated systems, to allow systemd to run properly in the container.
+Only do this on systems running older versions of Podman.
`setsebool -P container_manage_cgroup true`
@@ -240,7 +247,7 @@ cannot find newuidmap: exec: "newuidmap": executable file not found in $PATH
#### Solution
-Install a version of shadow-utils that includes these executables. Note RHEL7 and Centos 7 will not have support for this until RHEL7.7 is released.
+Install a version of shadow-utils that includes these executables. Note RHEL 7 and CentOS 7 will not have support for this until RHEL7.7 is released.
### 11) rootless setup user: invalid argument
@@ -424,9 +431,10 @@ Choose one of the following:
* Install the fuse-overlayfs package for your Linux Distribution.
* Add `mount_program = "/usr/bin/fuse-overlayfs"` under `[storage.options]` in your `~/.config/containers/storage.conf` file.
-### 17) rhel7-init based images don't work with cgroups v2
+### 17) RHEL 7 and CentOS 7 based `init` images don't work with cgroup v2
-The systemd version shipped in rhel7-init doesn't have support for cgroups v2. You'll need at least systemd 230.
+The systemd version shipped in RHEL 7 and CentOS 7 doesn't have support for cgroup v2. Support for cgroup V2 requires version 230 of systemd or newer, which
+was never shipped or supported on RHEL 7 or CentOS 7.
#### Symptom
```console
@@ -440,7 +448,15 @@ Error: non zero exit code: 1: OCI runtime error
#### Solution
You'll need to either:
-* configure the host to use cgroups v1
+* configure the host to use cgroup v1
+
+```
+On Fedora you can do:
+# dnf install -y grubby
+# grubby --update-kernel=ALL --args=”systemd.unified_cgroup_hierarchy=0"
+# reboot
+```
+
* update the image to use an updated version of systemd.
### 18) rootless containers exit once the user session exits
@@ -483,7 +499,7 @@ Unable to pull images
```console
$ podman unshare cat /proc/self/uid_map
- 0 1000 1
+ 0 1000 1
```
#### Solution
@@ -496,8 +512,8 @@ Original command now returns
```
$ podman unshare cat /proc/self/uid_map
- 0 1000 1
- 1 100000 65536
+ 0 1000 1
+ 1 100000 65536
```
Reference [subuid](http://man7.org/linux/man-pages/man5/subuid.5.html) and [subgid](http://man7.org/linux/man-pages/man5/subgid.5.html) man pages for more detail.