podman exec -ty causes "Error: OCI runtime error: runsc: flag provided but not defined: -tty" when run with gvisor
p12tic opened this issue · comments
Issue Description
podman exec sends unsupported --tty
option to OCI runtime. I couldn't find what are standard OCI runtime flags, but at least runc does not document it: https://github.com/opencontainers/runc/blob/main/man/runc-run.8.md?plain=1#L14.
runsc runtime provided by gvisor does not support this option too. However, it seems that --tty
is not required to get tty to work. If runsc is overridden with a wrapper that omits --tty
then container launches and commands using tty such as nano work.
cat /usr/bin/runsc_wrap
#!/usr/bin/env python3
import os
import sys
argv = list(sys.argv)
argv = [a for a in argv if a != "--tty"]
os.execv("/usr/bin/runsc", argv)
Probably this was provided for compatibility with docker.
Steps to reproduce the issue
Steps to reproduce the issue
- Install Debian bookworm
- Install latest gvisor.
curl -fsSL https://gvisor.dev/archive.key | sudo gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases release main" | sudo tee /etc/apt/sources.list.d/gvisor.list > /dev/null
sudo apt update && sudo apt install runsc
- Install podman (either 4.7.2 or 4.8.2. Both have the same problem, just with different output)
4.7.2:
sudo apt install podman
wget https://deb.debian.org/debian/pool/main/libp/libpod/podman_4.7.2+ds1-2_amd64.deb
sudo dpkg -i *.deb
4.8.2: Install according to these instructions https://podman.io/docs/installation#debian
sudo mkdir -p /etc/apt/keyrings
# Debian Testing/Bookworm
curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/Debian_Testing/Release.key \
| gpg --dearmor \
| sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/Debian_Testing/ /" \
| sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
sudo apt update
sudo apt install podman
sudo apt upgrade # if upgrading from previous installation of 4.7.2
- sudo podman run --runtime=runsc --name=abcd debian:bookworm sleep 10000
- sudo podman exec --interactive --tty abcd bash
Describe the results you received
sudo podman exec --interactive --tty abcd bash
exits with:
On podman 4.7.2:
Error: OCI runtime error: runsc: flag provided but not defined: -tty
On podman 4.8.2:
Error: container create failed (no logs from conmon): conmon bytes "": readObjectStart: expect { or n, but found , error found in #0 byte of ...||..., bigger context ...||...
Describe the results you expected
Container should run and tty should work (e.g. launch nano
within the container).
podman info output
host:
arch: amd64
buildahVersion: 1.33.2
cgroupControllers:
- cpuset
- cpu
- io
- memory
- hugetlb
- pids
- rdma
- misc
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon_2:2.1.10-0debian9999+obs18.5_amd64
path: /usr/bin/conmon
version: 'conmon version 2.1.10, commit: '
cpuUtilization:
idlePercent: 42.7
systemPercent: 14.15
userPercent: 43.16
cpus: 64
databaseBackend: boltdb
distribution:
codename: bookworm
distribution: debian
version: "12"
eventLogger: journald
freeLocks: 2039
hostname: exec-desktop
idMappings:
gidmap: null
uidmap: null
kernel: 6.1.0-12-amd64
linkmode: dynamic
logDriver: journald
memFree: 76934651904
memTotal: 270320197632
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns_1.9.0-0debian9999+obs37.16_amd64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.9.0
package: netavark_1.9.0-0debian9999+obs33.17_amd64
path: /usr/libexec/podman/netavark
version: netavark 1.9.0
ociRuntime:
name: crun
package: crun_101:1.12-0debian9999+obs65.23_amd64
path: /usr/bin/crun
version: |-
crun version 1.12
commit: ce429cb2e277d001c2179df1ac66a470f00802ae
rundir: /run/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
pasta:
executable: ""
package: ""
version: ""
remoteSocket:
exists: true
path: /run/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: false
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns_1.2.2-0debian9999+obs12.81_amd64
version: |-
slirp4netns version 1.2.2
commit: 0ee2d87523e906518d34a6b423271e4826f71faf
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.4
swapFree: 67677679616
swapTotal: 68719472640
uptime: 1766h 17m 11.00s (Approximately 73.58 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- registry.fedoraproject.org
- registry.access.redhat.com
- docker.io
- quay.io
store:
configFile: /usr/share/containers/storage.conf
containerStore:
number: 8
paused: 0
running: 3
stopped: 5
graphDriverName: overlay
graphOptions:
overlay.mountopt: nodev,metacopy=on
graphRoot: /var/lib/containers/storage
graphRootAllocated: 1007628390400
graphRootUsed: 477146857472
graphStatus:
Backing Filesystem: extfs
Native Overlay Diff: "false"
Supports d_type: "true"
Supports shifting: "true"
Supports volatile: "true"
Using metacopy: "true"
imageCopyTmpDir: /var/tmp
imageStore:
number: 4
runRoot: /run/containers/storage
transientStore: false
volumePath: /var/lib/containers/storage/volumes
version:
APIVersion: 4.8.2
Built: 0
BuiltTime: Thu Jan 1 03:00:00 1970
GitCommit: ""
GoVersion: go1.21.5
Os: linux
OsArch: linux/amd64
Version: 4.8.2
Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
No response
@haircommander could we remove the --tty
flag that conmon passes to the OCI runtime?
At least with crun, it seems to work fine without
so it is documented in runc https://github.com/opencontainers/runc/blob/main/man/runc-exec.8.md?plain=1#L23
but actually I don't even think it's used, as runc takes the process spec first, and only falls back to tty flag if process spec isn't defined:
https://github.com/opencontainers/runc/blob/main/exec.go#L200-L211