diff options
| -rw-r--r-- | libpod/container.go | 2 | ||||
| -rw-r--r-- | libpod/container_internal_linux.go | 21 | ||||
| -rw-r--r-- | troubleshooting.md | 15 |
3 files changed, 33 insertions, 5 deletions
diff --git a/libpod/container.go b/libpod/container.go index 4f7fc067e..d978e4e38 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -1146,7 +1146,7 @@ func (c *Container) NetworkDisabled() (bool, error) { if err != nil { return false, err } - return networkDisabled(container) + return container.NetworkDisabled() } return networkDisabled(c) diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 586de0776..1b0570998 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -1016,9 +1016,24 @@ func (c *Container) makeBindMounts() error { // We want /etc/resolv.conf and /etc/hosts from the // other container. Unless we're not creating both of // them. - depCtr, err := c.runtime.state.Container(c.config.NetNsCtr) - if err != nil { - return errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID()) + var ( + depCtr *Container + nextCtr string + ) + + // I don't like infinite loops, but I don't think there's + // a serious risk of looping dependencies - too many + // protections against that elsewhere. + nextCtr = c.config.NetNsCtr + for { + depCtr, err = c.runtime.state.Container(nextCtr) + if err != nil { + return errors.Wrapf(err, "error fetching dependency %s of container %s", c.config.NetNsCtr, c.ID()) + } + nextCtr = depCtr.config.NetNsCtr + if nextCtr == "" { + break + } } // We need that container's bind mounts diff --git a/troubleshooting.md b/troubleshooting.md index c4e577645..9def0e08b 100644 --- a/troubleshooting.md +++ b/troubleshooting.md @@ -413,7 +413,6 @@ You'll need to either: ### 17) rootless containers exit once the user session exits - You need to set lingering mode through loginctl to prevent user processes to be killed once the user session completed. @@ -429,3 +428,17 @@ You'll need to either: or as root if your user has not enough privileges. * sudo loginctl enable-linger $UID + +### 18) `podman run` fails with "bpf create: permission denied error" + +The Kernel Lockdown patches deny eBPF programs when Secure Boot is enabled in the BIOS. [Matthew Garrett's post](https://mjg59.dreamwidth.org/50577.html) desribes the relationship between Lockdown and Secure Boot and [Jan-Philip Gehrcke's](https://gehrcke.de/2019/09/running-an-ebpf-program-may-require-lifting-the-kernel-lockdown/) connects this with eBPF. [RH bug 1768125](https://bugzilla.redhat.com/show_bug.cgi?id=1768125) contains some additional details. + +#### Symptom + +Attempts to run podman result in + +```Error: bpf create : Operation not permitted: OCI runtime permission denied error``` + +#### Solution + +One workaround is to disable Secure Boot in your BIOS. |