11 Known Issues
This chapter describes known issues in the current release of Podman.
Quadlets Fail on Oracle Linux 8 For An Unprivileged User
Quadlets fail to run on Oracle Linux 8 without root permissions. While trying to start a Quadlet service, you might see the following error message:
Error: mkdir /sys/fs/cgroup/blkio/user.slice/runtime: permission denied
Or, if you're using crun
as the runtime, you might see the following error
message:
Error: OCI runtime error: crun: the requested cgroup controller `pids` is not available"
Because of this problem, Podman Shell isn't available for Oracle Linux 8.
(Bug 36076771)
Podman Build Command Fails With "Operation Not Permitted" When Unprivileged Users Try to Establish Volumes
Oracle Linux 8 hosts running UEK 6 Update 3 or the Red Hat Compatible Kernel (RHCK) can't mount or umount volumes on rootless Podman containers. Typically, trying to do so causes this error message:
...
error running container: from /usr/bin/runc creating container for [/bin/sh -c touch /tmp/myfile1]:
time="2024-02-06T00:22:07Z" level=warning msg="unable to get oom kill count" error="no directory
specified for memory.oom_control" time="2024-02-06T00:22:07Z" level=error msg="runc create failed:
unable to start container process: error during container init: error mounting
\"/home/podman_user/.local/share/containers/storage/overlay-containers/2f80607e49897c5a2a8020bfbc520ddf2ee48157722fe2e207b3491ada5df0c9/userdata/overlay/1738053957/merge\"
to rootfs at \"/data\":
mount /home/podman_user/.local/share/containers/storage/overlay-containers/2f80607e49897c5a2a8020bfbc520ddf2ee48157722fe2e207b3491ada5df0c9/userdata/overlay/1738053957/merge:
/data (via /proc/self/fd/7),
data: lowerdir=/home/podman_user/.local/share/containers/storage/overlay/fe866d78514c04dd5df86d3ff2fff3288c675a52874f114c36f7d94aa1666bd6/merged/data,
upperdir=/home/podman_user/.local/share/containers/storage/overlay-containers/2f80607e49897c5a2a8020bfbc520ddf2ee48157722fe2e207b3491ada5df0c9/userdata/overlay/1738053957/upper,
workdir=/home/podman_user/.local/share/containers/storage/overlay-containers/2f80607e49897c5a2a8020bfbc520ddf2ee48157722fe2e207b3491ada5df0c9/userdata/overlay/1738053957/work,
userxattr,context=\"system_u:object_r:container_file_t:s0:c10,c760\": operation not permitted"
...
If that functionality is required, upgrade the Oracle Linux 8 host to boot from the UEK7. For more information, see the Unbreakable Enterprise Kernel documentation.
Oracle Linux 9 hosts aren't affected by this issue.
(Bug 36250501)
Podman Pod Create Fails on Oracle Linux 9 For An Unprivileged User With IMA Enabled
On systems, such as Oracle Linux 9, where Integrity Measurement Architecture (IMA) is enabled and enforcing, running podman pod create as an unprivileged user can fail with an error similar to:
...
RemoveOptions:copier.RemoveOptions{All:false}}: copier: put: error setting
extended attributes on "/catatonit": error setting value of extended
attribute "security.ima" on "/catatonit": operation not permitted
This issue occurs when the rpm-plugin-ima
package is installed before the
podman
or podman-catatonit
packages. In the case where the rpm-plugin-ima
package is
installed the catatonit
binary, used by Podman to provide
init services to containers, is an IMA signed file and unprivileged users
don't have permissions to set security extended attributes (xattrs) on the
file system.
To work around the issue, uninstall rpm-plugin-ima
and reinstall
the podman
package. Note that on fresh installations of
Oracle Linux 9.2 and later, the rpm-plugin-ima
package
isn't installed by default and the issue is unlikely to appear. Also, from
Podman version 4.4 onwards, the catatonit
binary is
included in the podman
package and you don't need to
install the podman-catatonit
package.
(Bug 34578553)
Container Storage is Not Accessible to an Unprivileged User
Container storage might fail to mount for an unprivileged user in some environments. Typically this displays in the following way:
$ podman run --name c_uidmap --uidmap 0:10000:10000
localhost:5555/os/oraclelinux:7 true
Error: error creating container storage: error creating an ID-mapped copy of
layer "a8c980a5275b9ef8dc35f68daacc8fc82e463cd25adeb84ccda98b58ce84f122":
exit status 1: error during chown: error mapping container ID pair
idtools.IDPair{UID:10000, GID:10000} for
"usr/lib64/python2.7/SimpleXMLRPCServer.pyo" to host: Container ID 10000
cannot be mapped to a host ID
The issue can be resolved by updating the container mount options to include the
index=off
parameter. Edit
/etc/containers/storage.conf
to make this change, for example:
mountopt = "nodev,metacopy=on,index=off"
(Bug 34161379)
X509 Certificate Relies on Legacy Common Name Field
With the release of Podman version 3.0, included with Oracle Linux 8.4, Podman commands that require TLS verification for certificates that don't include a proper Subject Alternative Name (SAN) return the following error:
x509: certificate relies on legacy Common Name field, use SANs or
temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
This issue is the result of a newer version of the Go compiler used to build Podman. The issue occurs when working with local or private image registries that use self-signed certificates.
You can either update certificates to use a proper SAN or set the GODEBUG environment
variable x509ignoreCN=0
in the environment where you intend to run Podman.
For example add the following line to $HOME/.bashrc
file to continue using
using self-signed certificates where a SAN isn't set:
export GODEBUG=x509ignoreCN=0
(Bug 32821677)
Executing Podman Attach --latest Causes Panic if No Containers Are Available
If you run the podman attach --latest
command
and no containers exist in your environment, a runtime error
similar to the following occurs:
sudo podman attach --latest
panic: runtime error: index out of range
...
Note that this error no longer occurs as soon as containers exist in the environment. Running the command when no containers exist is meaningless.
(Bug 29882537)
Requirements for Using the Default Podman Detach Key Sequence
The default key sequence that
you use to detach a container (CTRL+P
, CTRL+Q
) requires a
console that can handle detachment (pseudo-tty
), and an input channel for
passing control signals (stdin
). Otherwise, you can't create a container,
attach it with the podman attach -l
command, and then quit, or detach the
container by using the default key sequence, as documented in the
podman-attach(1)
manual page.
To ensure that you can use the default CTRL+P
,
CTRL+Q
key sequence to detach a container, use
either of the following methods to create a container. In both
cases ensure that you use the -t
option so that
a pseudo-tty is created:
-
Create a container in the background:
sudo podman run --rm -dt container-registry.oracle.com/os/oraclelinux:7-slim top -b
You can then use the podman attach -l command to attach the container and the
CTRL+P
,CTRL+Q
key sequence to detach the container. -
Create a container interactively:
sudo podman run --rm -it container-registry.oracle.com/os/oraclelinux:7-slim top -b
The interactive method creates the container and automatically attaches it. You can then use the
CTRL+P
,CTRL+Q
key sequence to detach the container.For more information, see the
podman(1)
andpodman-attach(1)
manual pages.
(Bug 29882852)
Authentication Error Occurs When Attempting to Pull an Image By Specifying an Incorrect Name
If you try to pull an image by running the podman pull image-name command, but you don't specify the correct or full name of the image, an authentication error occurs.
For example, the following error is displayed because
oracle:ol7-slim
was specified as the name of
the image instead of oraclelinux:ol7-slim
,
which is the correct name for the image:
podman pull oracle:ol7-slim
Trying to pull registry.redhat.io/oracle:latest...Failed
Trying to pull quay.io/oracle:latest...Failed
Trying to pull docker.io/oracle:latest...Failed
error pulling image "oracle:ol7-slim": unable to pull oracle:ol7-slim: 3 errors
occurred:
* Error determining manifest MIME type for
docker://registry.redhat.io/oracle:ol7-slim: unable to retrieve auth token:
invalid username/password
* Error determining manifest MIME type for docker://quay.io/oracle:ol7-slim:
Error reading manifest latest in quay.io/oracle: error parsing HTTP 404
response body: invalid character '<' looking for beginning of value:
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not
Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the
server. If you entered the URL manually please check your spelling and try
again.</p>\n"
* Error determining manifest MIME type for docker://oracle:ol7-slim: Error
reading manifest latest in docker.io/library/oracle: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
To prevent this error from occurring, always specify the correct image name with the podman pull command.
(Bug 29894231)
The Latest Tag Is Missing From the Oraclelinux Image on Docker Hub
Attempts to search for or pull the
oraclelinux
image from Docker Hub fail with an "manifest unknown" error
because the latest
tag doesn't exist:
podman pull docker://docker.io/library/oraclelinux:latest
Trying to pull repository docker.io/library/oraclelinux ...
manifest for oraclelinux:latest not found: manifest unknown: manifest unknown
manifest for oraclelinux:latest not found: manifest unknown: manifest unknown
This issue also affects the skopeo
utility,
which expects the latest
tag to be present by
default:
skopeo inspect docker://docker.io/library/oraclelinux
FATA[0001] Error parsing image name "docker://docker.io/library/oraclelinux":
Error reading manifest latest in docker.io/library/oraclelinux:
manifest unknown: manifest unknown
The latest
tag was removed from the Oracle Linux official images in June
2020 to reduce customer confusion. Downstream images using oraclelinux:latest
or no tag should be updated to oraclelinux:7
for future builds. Note that we
recommend using the -slim
variants for the smallest possible image size.
For more information, see Oracle Linux Container Image Tagging Conventions.
(Bug 31524440)