-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permission denied while pasta tries to open network namespace #22681
Comments
It is a issue with pasta (passt), most likely apparmor blocking access when you are on debian. You should check the audit.log to confirm. Or disable apparmor. |
Yeah, there is a log in the journal: Thanks. Disable passt profile did it: Or defining this rules in the
But I am not familiar with apparmor rules and if this are the most restricted and minimalist rules?!
They are installed by another repository, where these versions come from. |
You should check your installed profile. pasta ships a working profile upstream https://passt.top/passt/tree/contrib/apparmor/usr.bin.pasta so it is best to use that and if there are problems with that profile report them to the pasta maintainers. |
Issue Description
After a system upgrade and newer versions, I can't run a container due to a pasta permission denied error. It is not the same as #22015 because it worked before system upgrade and the newest passt version.
The following packages were upgraded:
I also downgraded the packages
containers-common
,libslirp0
,podman
andslirp4netns
to its previous versions and rebooted, but it is still the same result. I am not really sure, if it is a podman issue or something with the others packages.Steps to reproduce the issue
Steps to reproduce the issue
podman run --rm docker.io/alpine:latest id -u nobody
Describe the results you received
Describe the results you expected
I expect the user id is printed:
65534
.podman run --network=none --rm docker.io/alpine:latest id -u nobody
andpodman run --network=slirp4netns --rm docker.io/alpine:latest id -u nobody
work as expected and print the id.podman info output
Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
It is a debian 11 virtual machine running with VirtualBox:
But it does not work with debian 12 and the same versions as well.
Additional information
No response
The text was updated successfully, but these errors were encountered: