Creating a podman container inside incus fails to start

laralar · December 1, 2024, 5:38pm

Hello.

Maybe I am being a little ambitious.

I am trying to deploy openstack in incus containers, haven’t tried VMs yet.

My setup is ubuntu 22.04 with zfs

# incus profile show ostack
config:
  limits.memory.swap: "false"
  linux.kernel_modules: ip_tables,ip6_tables,nf_nat,overlay,br_netfilter
  raw.lxc: "lxc.apparmor.profile=unconfined\nlxc.cap.drop= \nlxc.cgroup.devices.allow=a\nlxc.mount.auto=proc:rw
    sys:rw"
  security.nesting: "true"
  security.privileged: "true"
description: ""

~# incus config show ostack01
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Ubuntu jammy amd64 (20241201_07:42)
  image.os: Ubuntu
  image.release: jammy
  image.serial: "20241201_07:42"
  image.type: squashfs
  image.variant: default
  volatile.base_image: a178452250ef193110cee0fcb5873eb33e49b1899bdf594793ca3b4071a9abd7
  volatile.cloud-init.instance-id: b77acd64-c559-474c-9424-da5e227b50ea
  volatile.eth0.host_name: veth34daa0a1
  volatile.eth0.hwaddr: 00:16:3e:38:42:ff
  volatile.eth1.host_name: veth8d4cef95
  volatile.eth1.hwaddr: 00:16:3e:bb:16:02
  volatile.eth2.host_name: vethaec54ee7
  volatile.eth2.hwaddr: 00:16:3e:09:f7:3c
  volatile.eth3.host_name: vethea64690e
  volatile.eth3.hwaddr: 00:16:3e:78:a1:94
  volatile.eth4.host_name: mace93618db
  volatile.eth4.hwaddr: 00:16:3e:1d:e6:c6
  volatile.eth4.last_state.created: "false"
  volatile.eth4.name: eth4
  volatile.idmap.base: "0"
  volatile.idmap.current: '[]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.last_state.ready: "false"
  volatile.uuid: 74234dca-a809-4689-8339-d5f8356cceed
  volatile.uuid.generation: 74234dca-a809-4689-8339-d5f8356cceed
devices:
  podman:
    path: /var/lib/containers
    pool: local
    source: podman
    type: disk
ephemeral: false
profiles:
- default
- ostack
stateful: false
description: ""
root@node11:~#

and I am getting the following errors when trying to start an openstack container (podman hello world run fine)

Dec 1 17:29:42 ostack01 systemd[1]: Started podman kolla-kolla_toolbox-container.service.
Dec 1 17:29:42 ostack01 podman[8839]: Error: OCI runtime error: unable to start container 9199efe7d09a2b4ed92e577eac94b25b0e5ab473d2fa46f86ccf1344a6d22566: creating symlink for /dev/ptmx: File exists

Any help would be appreciated.

stgraber · December 1, 2024, 8:19pm

Some have had some success running Podman inside an Incus container, but you should stay as far away of security.privileged=true and your current raw.lxc as humanly possible.

That particular combination eliminates the vast majority of the namespacing and security in place which can seriously confuse the nested container manager (podman), not to mention would make it downright trivial for anything in that container to escape to the host with full root privileges or cause accidental harm to the host as we’ve seen in the past with folks trying to run microk8s using a similar configuration and having container startup cause their entire desktop session to get killed.

If you can’t get something to run with normal unprivileged containers (enabling nesting is fine), then you’re likely much better off using a full VM.