Podman permission denied error in apache

[Elrondo46]

Apache containers log error when starting in pod (not in container), userns rootless mode

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 174.10.0.20. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00091: apache2: could not open error log file /var/log/apache2/error.log.
AH00015: Unable to open logs

Tried to add group_add tty without success

podman version 4.1.1
Archlinux kernel 5.18.15-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 29 Jul 2022 22:52:39 +0000 x86_64 GNU/Linux

[rhatdan]

Please give us exact reproducer. I would figure this is either SELinux or User Namespace issue.

[Elrondo46]

I don't have SELinux, just usernamespace. Just start the tuxnvape/multicms container in and out a pod and watch the logs (userns rootless)

[rhatdan]

Please submit the Podman command.

[Elrondo46]

Don't use a podman command, sent it with ansible

    become: false
    containers.podman.podman_container:
      name: "website_{{ item.website_name }}"
      recreate: yes
      state: present
      image: 'docker.io/tuxnvape/multicms:latest'
      pod: "{{ item.website_name }}"
      env:
        SMTP_FROM: "{{ item.sender_mail  }}"
        SMTP_HOST: "{{ item.mail_host }}"
        SMTP_PORT: "25"
    loop: "{{ multivars }}"```

[Elrondo46]

Same test with httpd official image from docker hub

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.0.2.100. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00091: httpd: could not open error log file /proc/self/fd/2.
AH00015: Unable to open logs

[rhatdan]

Strange Could you try those commands with podman.

podman run --pod new:item.website_name docker.io/tuxnvape/multicms:latest

And see if this blows up?

BTW It worked fine on my Fedora 36 laptop.

[Elrondo46]

It's working fine
podman run --pod new:bozo docker.io/tuxnvape/multicms:latest
No CMS Detected, continue without CMS but you can define this variable later
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.0.2.100. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.0.2.100. Set the 'ServerName' directive globally to suppress this message
[Tue Aug 02 11:32:41.199548 2022] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.54 (Debian) PHP/8.1.8 configured -- resuming normal operations
[Tue Aug 02 11:32:41.199584 2022] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

But why it fails when I manage it with ansible (it's RedHat product too). Where I can reprot the bug ?

There is not other containers fails...

[Elrondo46]

If it's an ansible module bug, this is a really strange bug

[rhatdan]

I guess I would need to see what actual Podman command ansible is executing, to unerstand what is going on. One problem might be that the tty for stderr under ansible might be very different, If you run the ansible script on a rootful podman, does it work?

[rhatdan]

BTW is their a debug mode in ansible to show the command being executed?

[rhatdan]

BTW If you are a Red Hat customer, you should be reporting this in a bugzilla so that we could get ansible people to look at it.

[Elrondo46]

This is the debug

`pod:
CgroupParent: user.slice
CgroupPath: user.slice/user-libpod_pod_22ab3a4e7bba5e1a37d1cc4ca9cc120b7de66a09db97b647e38c8bb22ac309ce.slice
Containers:
- Id: 9da8839fe396cb647be10d2d4a289bb4f2f36374734377c7b9319642442ac2e6
Name: 22ab3a4e7bba-infra
State: created
CreateCgroup: true
CreateCommand:
- podman
- pod
- create
- --name
- testpod
- --userns
- auto
- --publish
- 8080:80
CreateInfra: true
Created: '2022-08-02T12:33:13.185762736Z'
Hostname: ''
Id: 22ab3a4e7bba5e1a37d1cc4ca9cc120b7de66a09db97b647e38c8bb22ac309ce
InfraConfig:
DNSOption: null
DNSSearch: null
DNSServer: null
HostAdd: null
HostNetwork: false
NetworkOptions: null
Networks: null
NoManageHosts: false
NoManageResolvConf: false
PortBindings:
80/tcp:
- HostIp: ''
HostPort: '8080'
StaticIP: ''
StaticMAC: ''
pid_ns: private
userns: host
InfraContainerID: 9da8839fe396cb647be10d2d4a289bb4f2f36374734377c7b9319642442ac2e6
Name: testpod
NumContainers: 1
SharedNamespaces:
- ipc
- net
- user
- uts
State: Created
podman_actions:

• podman pod rm -f testpod

• podman pod create --name testpod --userns auto --publish 8080:80
  podman_systemd:
  pod-testpod: |-

  pod-testpod.service

  autogenerated by Podman 4.1.1

  Tue Aug 2 12:33:14 UTC 2022

  [Unit]
  Description=Podman pod-testpod.service
  Documentation=man:podman-generate-systemd(1)
  Wants=network-online.target
  After=network-online.target
  RequiresMountsFor=
  Requires=
  Before=

  [Service]
  Environment=PODMAN_SYSTEMD_UNIT=%n
  Restart=on-failure
  TimeoutStopSec=70
  ExecStart=/usr/bin/podman start 22ab3a4e7bba-infra
  ExecStop=/usr/bin/podman stop -t 10 22ab3a4e7bba-infra
  ExecStopPost=/usr/bin/podman stop -t 10 22ab3a4e7bba-infra
  PIDFile=/tmp/podman-run-1002/containers/overlay-containers/9da8839fe396cb647be10d2d4a289bb4f2f36374734377c7b9319642442ac2e6/userdata/conmon.pid
  Type=forking

  [Install]
  WantedBy=default.target
  stderr: ''
  stderr_lines:
  stdout: |-
  22ab3a4e7bba5e1a37d1cc4ca9cc120b7de66a09db97b647e38c8bb22ac309ce
  stdout_lines:

TASK [Run multicms container] ********************************************************************************************************
changed: [aurora] => changed=true
actions:

• created siteploplo
  container:
  AppArmorProfile: ''
  Args:

  • httpd-foreground
    BoundingCaps:
  • CAP_CHOWN
  • CAP_DAC_OVERRIDE
  • CAP_FOWNER
  • CAP_FSETID
  • CAP_KILL
  • CAP_NET_BIND_SERVICE
  • CAP_SETFCAP
  • CAP_SETGID
  • CAP_SETPCAP
  • CAP_SETUID
  • CAP_SYS_CHROOT
    Config:
    Annotations:
    io.kubernetes.cri-o.ContainerType: container
    io.kubernetes.cri-o.SandboxID: testpod
    io.kubernetes.cri-o.TTY: 'false'
    io.podman.annotations.autoremove: 'FALSE'
    io.podman.annotations.init: 'FALSE'
    io.podman.annotations.privileged: 'FALSE'
    io.podman.annotations.publish-all: 'FALSE'
    AttachStderr: false
    AttachStdin: false
    AttachStdout: false
    Cmd:
    • httpd-foreground
      CreateCommand:
    • podman
    • container
    • create
    • --name
    • siteploplo
    • --pod
    • testpod
    • docker.io/httpd:latest
      Domainname: ''
      Entrypoint: ''
      Env:
    • HTTPD_PATCHES=
    • PATH=/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    • TERM=xterm
    • container=podman
    • HTTPD_PREFIX=/usr/local/apache2
    • HTTPD_VERSION=2.4.54
    • HTTPD_SHA256=eb397feeefccaf254f8d45de3768d9d68e8e73851c49afd5b7176d1ecf80c340
      Hostname: testpod
      Image: docker.io/library/httpd:latest
      Labels: null
      OnBuild: null
      OpenStdin: false
      Passwd: true
      StdinOnce: false
      StopSignal: 28
      StopTimeout: 10
      Timeout: 0
      Tty: false
      Umask: '0022'
      User: ''
      Volumes: null
      WorkingDir: /usr/local/apache2
      ConmonPidFile: /tmp/podman-run-1002/containers/overlay-containers/af0573d6caa3eb129f1ae04cdbad8990b9edd92bb2304fa724e97648376a34c1/userdata/conmon.pid
      Created: '2022-08-02T12:33:18.340929541Z'
      Dependencies:
  • 9da8839fe396cb647be10d2d4a289bb4f2f36374734377c7b9319642442ac2e6
    Driver: overlay
    EffectiveCaps:
  • CAP_CHOWN
  • CAP_DAC_OVERRIDE
  • CAP_FOWNER
  • CAP_FSETID
  • CAP_KILL
  • CAP_NET_BIND_SERVICE
  • CAP_SETFCAP
  • CAP_SETGID
  • CAP_SETPCAP
  • CAP_SETUID
  • CAP_SYS_CHROOT
    ExecIDs: []
    GraphDriver:
    Data:
    LowerDir: /home/podman/.local/share/containers/storage/overlay/370d66167ae1e9bc3cb1e51bfcb84fd1f14a00489a24032e5b0acabf753786ef/diff:/home/podman/.local/share/containers/storage/overlay/ff61c0278c11f72793b137e1b3d3c27fcb65a6a2856b396a67fee6d3d9d0dee3/diff:/home/podman/.local/share/containers/storage/overlay/130ff3c44788465f8d2f2989c6446103b1828c7264bc7f999541445bb5b249f6/diff:/home/podman/.local/share/containers/storage/overlay/95e90ca85a1299f86e6f1a669a9a046d824b033faf35c6c4a216a3e2574dc640/diff:/home/podman/.local/share/containers/storage/overlay/df9185371e89509987b2906aba7d3fc91e528be2c027f4813a4bf9840b4a84fe/diff:/home/podman/.local/share/containers/storage/overlay/e4f85c7c2b1fddac675cb2be9672426c32293e7a509e2c2e6a198394aa46bbd1/diff
    UpperDir: /home/podman/.local/share/containers/storage/overlay/d13dcc3689113db37521611e2dc23fdbd9f5e3fd9c71344b5de32a44fd43f701/diff
    WorkDir: /home/podman/.local/share/containers/storage/overlay/d13dcc3689113db37521611e2dc23fdbd9f5e3fd9c71344b5de32a44fd43f701/work
    Name: overlay
    HostConfig:
    AutoRemove: false
    Binds: []
    BlkioDeviceReadBps: null
    BlkioDeviceReadIOps: null
    BlkioDeviceWriteBps: null
    BlkioDeviceWriteIOps: null
    BlkioWeight: 0
    BlkioWeightDevice: null
    CapAdd: []
    CapDrop:
    • CAP_AUDIT_WRITE
    • CAP_MKNOD
    • CAP_NET_RAW
      Cgroup: ''
      CgroupConf: null
      CgroupManager: systemd
      CgroupMode: private
      CgroupParent: user.slice/user-libpod_pod_22ab3a4e7bba5e1a37d1cc4ca9cc120b7de66a09db97b647e38c8bb22ac309ce.slice
      Cgroups: default
      ConsoleSize:
    • 0
    • 0
      ContainerIDFile: ''
      CpuCount: 0
      CpuPercent: 0
      CpuPeriod: 0
      CpuQuota: 0
      CpuRealtimePeriod: 0
      CpuRealtimeRuntime: 0
      CpuShares: 0
      CpusetCpus: ''
      CpusetMems: ''
      Devices: []
      DiskQuota: 0
      Dns: []
      DnsOptions: []
      DnsSearch: []
      ExtraHosts: []
      GroupAdd: []
      IDMappings:
      GidMap:
      • 0:1:1024
        UidMap:
      • 0:1:1024
        IOMaximumBandwidth: 0
        IOMaximumIOps: 0
        IpcMode: container:9da8839fe396cb647be10d2d4a289bb4f2f36374734377c7b9319642442ac2e6
        Isolation: ''
        KernelMemory: 0
        Links: null
        LogConfig:
        Config: null
        Path: ''
        Size: 0B
        Tag: ''
        Type: journald
        Memory: 0
        MemoryReservation: 0
        MemorySwap: 0
        MemorySwappiness: 0
        NanoCpus: 0
        NetworkMode: container:9da8839fe396cb647be10d2d4a289bb4f2f36374734377c7b9319642442ac2e6
        OomKillDisable: false
        OomScoreAdj: 0
        PidMode: private
        PidsLimit: 2048
        PortBindings: {}
        Privileged: false
        PublishAllPorts: false
        ReadonlyRootfs: false
        RestartPolicy:
        MaximumRetryCount: 0
        Name: ''
        Runtime: oci
        SecurityOpt: []
        ShmSize: 65536000
        Tmpfs: {}
        UTSMode: container:9da8839fe396cb647be10d2d4a289bb4f2f36374734377c7b9319642442ac2e6
        Ulimits: []
        UsernsMode: container:9da8839fe396cb647be10d2d4a289bb4f2f36374734377c7b9319642442ac2e6
        VolumeDriver: ''
        VolumesFrom: null
        HostnamePath: ''
        HostsPath: ''
        Id: af0573d6caa3eb129f1ae04cdbad8990b9edd92bb2304fa724e97648376a34c1
        Image: 4ddf3128a12761820ec2b1874bd8db0422a885e6f8d9e0eb6c824267b1fa0c4f
        ImageName: docker.io/library/httpd:latest
        IsInfra: false
        MountLabel: ''
        Mounts: []
        Name: siteploplo
        Namespace: ''
        NetworkSettings:
        Bridge: ''
        EndpointID: ''
        Gateway: ''
        GlobalIPv6Address: ''
        GlobalIPv6PrefixLen: 0
        HairpinMode: false
        IPAddress: ''
        IPPrefixLen: 0
        IPv6Gateway: ''
        LinkLocalIPv6Address: ''
        LinkLocalIPv6PrefixLen: 0
        MacAddress: ''
        Ports:
        80/tcp:
      • HostIp: ''
        HostPort: '8080'
        SandboxID: ''
        SandboxKey: ''
        OCIRuntime: crun
        Path: httpd-foreground
        PidFile: /tmp/podman-run-1002/containers/overlay-containers/af0573d6caa3eb129f1ae04cdbad8990b9edd92bb2304fa724e97648376a34c1/userdata/pidfile
        Pod: 22ab3a4e7bba5e1a37d1cc4ca9cc120b7de66a09db97b647e38c8bb22ac309ce
        ProcessLabel: ''
        ResolvConfPath: ''
        RestartCount: 0
        Rootfs: ''
        State:
        CheckpointedAt: '0001-01-01T00:00:00Z'
        Dead: false
        Error: ''
        ExitCode: 0
        FinishedAt: '0001-01-01T00:00:00Z'
        Health:
        FailingStreak: 0
        Log: null
        Status: ''
        OOMKilled: false
        OciVersion: 1.0.2-dev
        Paused: false
        Pid: 0
        Restarting: false
        RestoredAt: '0001-01-01T00:00:00Z'
        Running: false
        StartedAt: '0001-01-01T00:00:00Z'
        Status: created
        StaticDir: /home/podman/.local/share/containers/storage/overlay-containers/af0573d6caa3eb129f1ae04cdbad8990b9edd92bb2304fa724e97648376a34c1/userdata
        podman_actions:

• podman create --name siteploplo --pod testpod docker.io/httpd:latest
  podman_systemd:
  container-siteploplo: |-

  container-siteploplo.service

  autogenerated by Podman 4.1.1

  Tue Aug 2 12:33:19 UTC 2022

  [Unit]
  Description=Podman container-siteploplo.service
  Documentation=man:podman-generate-systemd(1)
  Wants=network-online.target
  After=network-online.target
  RequiresMountsFor=/tmp/podman-run-1002/containers

  [Service]
  Environment=PODMAN_SYSTEMD_UNIT=%n
  Restart=on-failure
  TimeoutStopSec=70
  ExecStart=/usr/bin/podman start siteploplo
  ExecStop=/usr/bin/podman stop -t 10 siteploplo
  ExecStopPost=/usr/bin/podman stop -t 10 siteploplo
  PIDFile=/tmp/podman-run-1002/containers/overlay-containers/af0573d6caa3eb129f1ae04cdbad8990b9edd92bb2304fa724e97648376a34c1/userdata/conmon.pid
  Type=forking

  [Install]
  WantedBy=default.target
  stderr: ''
  stderr_lines:
  stdout: |-
  af0573d6caa3eb129f1ae04cdbad8990b9edd92bb2304fa724e97648376a34c1
  stdout_lines: `

[Elrondo46]

Same bug in other distros, and in other architecture: arm64

[Elrondo46]

After debug if I use:

podman pod create --name testpod --userns auto --publish 8080:80
and then
podman create --pod testpod --name siteploplo docker.io/httpd:latest
and finally
podman pod start testpod

Containers fail like the ansible method

[rhatdan]

This is working for me on F36
$ podman -v
podman version 4.1.1

[Elrondo46]

Okay, I solved the problem by myself with

tty: "yes" (Ansible)

and

podman create --pod testpod --name siteploplo --tty docker.io/httpd:latest

[sjpb]

Hit this while working through #20573. using --userns=auto fails with this error unless --tty is used on RockyLinux 8.9 (systemd 239, podman 4.4.1). --userns=auto works without --tty on RockyLinux 9.3 (systemd 252, podman 4.6.1).

Unit file as follows, exactly as produced by systemd generate podman except for the addition of --userns=auto and TimeoutStartSec=180 (for container pull):

[Unit]
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStart=/usr/bin/podman run \
        --cidfile=%t/%n.ctr-id \
        --cgroups=no-conmon \
        --rm \
        --sdnotify=conmon \
        --replace \
        -d \
        --userns=auto \
        --name apache \
        -p 8080:80 docker.io/library/httpd:2.4
ExecStop=/usr/bin/podman stop \
        --ignore -t 10 \
        --cidfile=%t/%n.ctr-id
ExecStopPost=/usr/bin/podman rm \
        -f \
        --ignore -t 10 \
        --cidfile=%t/%n.ctr-id
Type=notify
NotifyAccess=all
TimeoutStartSec=180

[Install]
WantedBy=default.target