Why podman cannot change the memory protections when running containers ?
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- podman
Issue
- Trying to run podman ends up with the below error
# podman run -itd --name test registry.access.redhat.com/ubi8:latest
error while loading shared libraries: librt.so.1: cannot change memory protections
Resolution
- Whenever graphRoot of a rootless user is changed to a different path, the selinux labels for this location should also be changed appropriately.
- To find the graphRoot for a user, run
podman info | grep graphRoot. - Following commands needs to be run to change the labels,
# semanage fcontext -a -e /var/lib/containers <graphRoot_path>
# restorecon -R -v <graphRoot_path>
- Default selinux label for /var/lib/containers is
container_var_lib_t
# ls -laZd /var/lib/containers/
drwxr-xr-x. 5 root root system_u:object_r:container_var_lib_t:s0 50 Aug 21 12:32 /var/lib/containers/
- The above command labels everything under the graphRoot the same way
/var/lib/containersis labeled. - An alternate way to label the
graphRootdirectory is to run the below commands,
# semanage fcontext -a -t container_var_lib_t 'graphRootDirectory(/.*)?'
# restorecon -Rv graphRootDirectory
where the value of graphRootDirectory can be found by running $podman info | grep graphRoot.
Root Cause
- Labels of graphRoot is not set appropriately when changing the graphRoot.
Diagnostic Steps
- Running any container should end up in the below error,
# podman run registry.access.redhat.com/ubi8/ubi
error while loading shared libraries: librt.so.1: cannot change memory protections
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments