You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The outer Podman container fails to stop gracefully with SIGTERM when specific capabilities (cap_setuid and cap_setgid) are set to enable the use of machinectl and inner containers. Without these capabilities, machinectl commands result in errors related to newuidmap and newgidmap. However, with these capabilities set, stopping the outer container requires forcibly using SIGKILL, even after the default timeout, which is not an ideal behavior.
Steps to Reproduce:
Run the Outer Container:
systemd-run --scope --user \
podman --runtime=crun run -d \
outer-container-image
Attempt to Stop the Outer Container: podman stop outer-container and now observe errors:
Without setcap:
ERRO[0000] running /usr/bin/newuidmap 85 0 <user id> 1 1 100000 65536: newuidmap: write to uid_map failed: Operation not permitted
Error: cannot set up namespace using "/usr/bin/newuidmap": should have setuid or have filecaps setuid: exit status 1
With setcap:
WARN[0010] StopSignal (15) failed to stop container outer-container in 10 seconds, resorting to SIGKILL
Adding cap_setuid+ep and cap_setgid+ep to newuidmap and newgidmap enables the inner container setup but introduces the stopping issue. Impact:
-- Without capabilities: Inner containers cannot be managed due to namespace errors.
-- With capabilities: The outer container cannot be gracefully stopped using SIGTERM.
Workaround:
The only current workaround is using --stop-signal SIGKILL when running the outer container, which is suboptimal and forces an abrupt termination.
The outer container should gracefully stop with SIGTERM, propagating signals to its processes, regardless of whether cap_setuid and cap_setgid are set.
Actual Behavior:
SIGTERM fails to stop the outer container, requiring SIGKILL after the timeout.
Attempts to Resolve:
Increasing stop-timeout: podman run --stop-timeout=60 ...
Outcome: Still fails to stop with SIGTERM after the timeout and resorts to SIGKILL.
Releasing Capabilities Post-Setup: I attempted to revoke cap_setuid and cap_setgid after starting the inner container by setcap cap_setuid-ep /usr/bin/newuidmap and setcap cap_setgid-ep /usr/bin/newgidmap
Outcome: Results in the following error when trying to execute machinectl:
ERRO[0000] running /usr/bin/newuidmap 83 0 <user id> 1 1 100000 65536: newuidmap: write to uid_map failed: Operation not permitted
Request for Assistance:
Why does setting cap_setuid and cap_setgid affect the signal handling of the outer container?
Is there a way to allow the inner container setup without compromising the graceful stopping of the outer container?
Would you like additional logs, configurations, or minimal reproducer scripts?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The outer Podman container fails to stop gracefully with SIGTERM when specific capabilities (cap_setuid and cap_setgid) are set to enable the use of machinectl and inner containers. Without these capabilities, machinectl commands result in errors related to newuidmap and newgidmap. However, with these capabilities set, stopping the outer container requires forcibly using SIGKILL, even after the default timeout, which is not an ideal behavior.
Steps to Reproduce:
podman stop outer-containerand now observe errors:Adding cap_setuid+ep and cap_setgid+ep to newuidmap and newgidmap enables the inner container setup but introduces the stopping issue. Impact:
-- Without capabilities: Inner containers cannot be managed due to namespace errors.
-- With capabilities: The outer container cannot be gracefully stopped using SIGTERM.
Workaround:
The only current workaround is using
--stop-signal SIGKILLwhen running the outer container, which is suboptimal and forces an abrupt termination.Environment:
Expected Behavior:
The outer container should gracefully stop with SIGTERM, propagating signals to its processes, regardless of whether cap_setuid and cap_setgid are set.
Actual Behavior:
SIGTERM fails to stop the outer container, requiring SIGKILL after the timeout.
Attempts to Resolve:
Increasing
stop-timeout:podman run --stop-timeout=60 ...Outcome: Still fails to stop with SIGTERM after the timeout and resorts to SIGKILL.
Releasing Capabilities Post-Setup: I attempted to revoke cap_setuid and cap_setgid after starting the inner container by
setcap cap_setuid-ep /usr/bin/newuidmapandsetcap cap_setgid-ep /usr/bin/newgidmapOutcome: Results in the following error when trying to execute machinectl:
Request for Assistance:
Why does setting cap_setuid and cap_setgid affect the signal handling of the outer container?
Is there a way to allow the inner container setup without compromising the graceful stopping of the outer container?
Would you like additional logs, configurations, or minimal reproducer scripts?
Beta Was this translation helpful? Give feedback.
All reactions