Extend sysbox to allow podman's rootful containers to run within sys-containers #100
Description
The goal here is to allow Sysbox to run podman inside a system container. Refer to this podman issue for details about the use-case.
After analyzing the issue and making a few adjustments to sysbox i'm now running into this one:
rmolina@dev-vm1:~$ docker run -it --rm --device=/dev/fuse --runtime=sysbox-runc quay.io/podman/stable bash
[root@c9f908a8ef7a /]#
[root@c9f908a8ef7a /]# podman run hello-world
Trying to pull registry.fedoraproject.org/hello-world...
manifest unknown: manifest unknown
Trying to pull registry.access.redhat.com/hello-world...
name unknown: Repo not found
Trying to pull registry.centos.org/hello-world...
manifest unknown: manifest unknown
Trying to pull docker.io/library/hello-world...
Getting image source signatures
Copying blob 0e03bdcc26d7 [--------------------------------------] 0.0b / 0.0b
Copying config bf756fb1ae done
Writing manifest to image destination
Storing signatures
Error: openat2 `proc`: Operation not permitted: OCI runtime permission denied error
[root@c9f908a8ef7a /]#
<-- Strace output below -- note that syscall 0x1b5 == 437 == openat2() ...
[pid 2968594] 16:46:16 syscall_0x1b5(0x6, 0x55f30681c180, 0x7ffdc8e34730, 0x18, 0, 0x28000000000000) = -1 EPERM (Operation not permitted) <0.000006>
[pid 2968594] 16:46:16 close(6) = 0 <0.000007>
[pid 2968594] 16:46:16 write(7, "\1\0\0\0\1\0\0\0openat2 `proc`\0", 23) = 23 <0.000018>
[pid 2968594] 16:46:16 exit_group(1 <unfinished ...>
Looks like a seccomp issue preventing openat2() execution. The fix may need to extend libseccomp as openat2() doesn't seem to be supported (at least not in our private version). If that's the case, and we see nothing else, i believe the fix for this one should be an easy one.