17 Known Issues
Ensure you read the known issues using Podman and related utilities.
Quadlets Fail For An Unprivileged User
Quadlets fail to run on Oracle Linux 8 without root permissions. While trying to start a Quadlet service, you might see the following error message:
Error: mkdir /sys/fs/cgroup/blkio/user.slice/runtime: permission denied
Or, if you're using crun
as the runtime, you might see the following error message:
Error: OCI runtime error: crun: the requested cgroup controller `pids` is not available"
Because of this problem, Podman Shell isn't available for Oracle Linux 8.
(Bug 36076771)
Podman Build Command Fails With "Operation Not Permitted" When Unprivileged Users Try to Establish Volumes
Oracle Linux 8 hosts running UEK 6 Update 3 or the Red Hat Compatible Kernel (RHCK) can't mount or umount volumes on rootless Podman containers. Typically, trying to do so causes this error message:
...
error running container: from /usr/bin/runc creating container for [/bin/sh -c touch /tmp/myfile1]:
time="2024-02-06T00:22:07Z" level=warning msg="unable to get oom kill count" error="no directory
specified for memory.oom_control" time="2024-02-06T00:22:07Z" level=error msg="runc create failed:
unable to start container process: error during container init: error mounting
\"/home/podman_user/.local/share/containers/storage/overlay-containers/2f80607e49897c5a2a8020bfbc520ddf2ee48157722fe2e207b3491ada5df0c9/userdata/overlay/1738053957/merge\"
to rootfs at \"/data\":
mount /home/podman_user/.local/share/containers/storage/overlay-containers/2f80607e49897c5a2a8020bfbc520ddf2ee48157722fe2e207b3491ada5df0c9/userdata/overlay/1738053957/merge:
/data (via /proc/self/fd/7),
data: lowerdir=/home/podman_user/.local/share/containers/storage/overlay/fe866d78514c04dd5df86d3ff2fff3288c675a52874f114c36f7d94aa1666bd6/merged/data,
upperdir=/home/podman_user/.local/share/containers/storage/overlay-containers/2f80607e49897c5a2a8020bfbc520ddf2ee48157722fe2e207b3491ada5df0c9/userdata/overlay/1738053957/upper,
workdir=/home/podman_user/.local/share/containers/storage/overlay-containers/2f80607e49897c5a2a8020bfbc520ddf2ee48157722fe2e207b3491ada5df0c9/userdata/overlay/1738053957/work,
userxattr,context=\"system_u:object_r:container_file_t:s0:c10,c760\": operation not permitted"
...
If that functionality is required, upgrade the Oracle Linux 8 host to boot from the UEK7. For more information, see the Unbreakable Enterprise Kernel documentation.
(Bug 36250501)
Container Storage is Not Accessible to an Unprivileged User
Container storage might fail to mount for an unprivileged user in some Oracle Linux 8 environments. Typically this displays in the following way:
$ podman run --name c_uidmap --uidmap 0:10000:10000
localhost:5555/os/oraclelinux:7 true
Error: error creating container storage: error creating an ID-mapped copy of
layer "a8c980a5275b9ef8dc35f68daacc8fc82e463cd25adeb84ccda98b58ce84f122":
exit status 1: error during chown: error mapping container ID pair
idtools.IDPair{UID:10000, GID:10000} for
"usr/lib64/python2.7/SimpleXMLRPCServer.pyo" to host: Container ID 10000
cannot be mapped to a host ID
The issue can be resolved by updating the container mount options to include the index=off
parameter. Edit /etc/containers/storage.conf
to make this change, for example:
mountopt = "nodev,metacopy=on,index=off"
(Bug 34161379)
X509 Certificate Relies on Legacy Common Name Field
With the release of Podman version 3.0, included with Oracle Linux 8.4, Podman commands that require TLS verification for certificates that don't include a proper Subject Alternative Name (SAN) return the following error:
x509: certificate relies on legacy Common Name field, use SANs or
temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
This issue is the result of a newer version of the Go compiler used to build Podman. The issue occurs when working with local or private image registries that use self-signed certificates.
You can either update certificates to use a proper SAN or set the GODEBUG environment variable x509ignoreCN=0
in the environment where you intend to run Podman. For example add the following line to $HOME/.bashrc
file to continue using self-signed certificates where a SAN isn't set:
export GODEBUG=x509ignoreCN=0
(Bug 32821677)
Executing Podman Attach --latest Causes Panic if No Containers Are Available
If you run the podman attach --latest
command and no containers exist in an environment, a runtime error similar to the following occurs:
sudo podman attach --latest
panic: runtime error: index out of range
...
Note that this error no longer occurs as soon as containers exist in the environment. Running the command when no containers exist is meaningless.
(Bug 29882537)
Requirements for Using the Default Podman Detach Key Sequence
On Oracle Linux 8 hosts, the default key sequence that you use to detach a container (CTRL+P
, CTRL+Q
) requires a console that can handle detachment (pseudo-tty
), and an input channel for passing control signals (stdin
). Otherwise, you can't create a container, attach it with the podman attach -l
command, and then quit, or detach the container by using the default key sequence, as documented in the podman-attach(1)
manual page.
To ensure that you can use the default CTRL+P
, CTRL+Q
key sequence to detach a container, use either of the following methods to create a container. In both cases ensure that you use the -t
option so that a pseudo-tty
is created:
-
Create a container in the background:
sudo podman run --rm -dt container-registry.oracle.com/os/oraclelinux:8-slim top -b
You can then use the
podman attach -l
command to attach the container and theCTRL+P
,CTRL+Q
key sequence to detach the container. -
Create a container interactively:
sudo podman run --rm -it container-registry.oracle.com/os/oraclelinux:8-slim top -b
The interactive method creates the container and automatically attaches it. You can then use the
CTRL+P
,CTRL+Q
key sequence to detach the container.For more information, see the
podman(1)
andpodman-attach(1)
manual pages.
(Bug 29882852)
Authentication Error Occurs Pulling an Image Using an Incorrect Name
If you try to pull an image by running the podman pull image-name
command, but you don't specify the correct or full name of the image, an authentication error occurs.
For example, the following error is displayed because oracle:ol8-slim
was specified as the name of the image instead of oraclelinux:ol8-slim
, which is the correct name for the image:
podman pull oracle:ol8-slim
Displays output similar to:
Trying to pull registry.redhat.io/oracle:latest...Failed
Trying to pull quay.io/oracle:latest...Failed
Trying to pull docker.io/oracle:latest...Failed
error pulling image "oracle:ol8-slim": unable to pull oracle:ol8-slim: 3 errors
occurred:
* Error determining manifest MIME type for
docker://registry.redhat.io/oracle:ol8-slim: unable to retrieve auth token:
invalid username/password
* Error determining manifest MIME type for docker://quay.io/oracle:ol8-slim:
Error reading manifest latest in quay.io/oracle: error parsing HTTP 404
response body: invalid character '<' looking for beginning of value:
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not
Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the
server. If you entered the URL manually please check your spelling and try
again.</p>\n"
* Error determining manifest MIME type for docker://oracle:ol8-slim: Error
reading manifest latest in docker.io/library/oracle: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
To prevent this error from occurring, always specify the correct image name with the podman pull
command.
(Bug 29894231)
The Latest Tag Is Missing From the oraclelinux Image on Docker Hub
Trying to search for or pull the oraclelinux
image from Docker Hub fail with a manifest unknown error because the latest
tag doesn't exist:
podman pull docker://docker.io/library/oraclelinux:latest
Trying to pull repository docker.io/library/oraclelinux ...
manifest for oraclelinux:latest not found: manifest unknown: manifest unknown
manifest for oraclelinux:latest not found: manifest unknown: manifest unknown
This issue also affects the Skopeo utility, which expects the latest
tag to be present by default:
skopeo inspect docker://docker.io/library/oraclelinux
FATA[0001] Error parsing image name "docker://docker.io/library/oraclelinux":
Error reading manifest latest in docker.io/library/oraclelinux:
manifest unknown: manifest unknown
The latest
tag was removed from the Oracle Linux official images in June 2020 to reduce customer confusion. Downstream images using oraclelinux:latest
or no tag should be updated to oraclelinux:8
for future builds. Note that we recommend using the -slim
variants for the smallest possible image size.
For more information, see Oracle Linux Container Image Tagging Conventions.
(Bug 31524440)
Podman Pod Create Fails on Oracle Linux 9 For An Unprivileged User With IMA Enabled
On systems, such as Oracle Linux 9, where Integrity Measurement Architecture (IMA) is enabled and enforcing, running podman pod create
as an unprivileged user can fail with an error similar to:
...
RemoveOptions:copier.RemoveOptions{All:false}}: copier: put: error setting
extended attributes on "/catatonit": error setting value of extended
attribute "security.ima" on "/catatonit": operation not permitted
This issue occurs when the rpm-plugin-ima
package is installed before the podman
or podman-catatonit
packages. In the case where the rpm-plugin-ima
package is installed the catatonit
binary, used by Podman to provide init services to containers, is an IMA signed file and unprivileged users don't have permissions to set security extended attributes (xattrs) on the file system.
To work around the issue, uninstall rpm-plugin-ima
and reinstall the podman
package. Note that on fresh installations of Oracle Linux 9.2 and later, the rpm-plugin-ima
package isn't installed by default and the issue is unlikely to appear. Also, from Podman version 4.4 onwards, the catatonit
binary is included in the podman
package and you don't need to install the podman-catatonit
package.
(Bug 34578553)
Executing Podman Attach --latest Causes Panic if No Containers Are Available
If you run the podman attach --latest
command and no containers exist in an environment, a runtime error similar to the following occurs:
sudo podman attach --latest
panic: runtime error: index out of range
...
Note that this error no longer occurs as soon as containers exist in the environment. Running the command when no containers exist is meaningless.
(Bug 29882537)