OCI runtime exec failed: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown #3551

amigthea · 2022-08-05T08:56:22Z

As title, this error is generated by a breaking bug found on runc version 1.1.3

kolyshkin · 2022-08-10T19:03:57Z

I wonder if this is related to #3504?

kolyshkin · 2022-08-11T00:13:23Z

I wonder if this is related to #3504?

OK, looks like it is.

I've added the following debug patch to the tip of release-1.1 branch:

diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
index 5a68a3cf..b153ec51 100644
--- a/libcontainer/cgroups/systemd/common.go
+++ b/libcontainer/cgroups/systemd/common.go
@@ -295,6 +295,8 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err
                // have a corresponding path.
                if _, err := os.Stat(entry.Path); err == nil {
                        deviceAllowList = append(deviceAllowList, entry)
+               } else {
+                       logrus.Warnf("Skipping device %+v: %w", entry, err)
                }
        }

and got the following output (from one of the tests -- doesn't matter):

   runc run -d --console-socket /tmp/bats-run-JcLxzP/runc.7sdPPv/tty/sock test_busybox (status=0):
   time="2022-08-10T16:47:33-07:00" level=warning msg="Skipping device {Path:block-* Perms:m}: %!w(*fs.PathError=&{stat block-* 2})"
   time="2022-08-10T16:47:33-07:00" level=warning msg="Skipping device {Path:char-* Perms:m}: %!w(*fs.PathError=&{stat char-* 2})"
   time="2022-08-10T16:47:33-07:00" level=warning msg="Skipping device {Path:char-pts Perms:rwm}: %!w(*fs.PathError=&{stat char-pts 2})"

So, what happens, I guess, is:

With [1.1] cgroups: systemd: skip adding device paths that don't exist #3504 in place, we are not longer adding char-pts rwm rule to the container's DeviceAllow systemd unit property.
The fact that the rule is excluded doesn't matter, since we also apply the rules directly (for cgroup v1, by writing to devices.allow)
systemctl daemon-reload reapplies the DeviceAllow rules, thus removing the char-pts rule.

Fix is coming.

A regression reported for runc v1.1.3 says that after systemctl daemon-reload runc exec fails: > exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown Apparently, with commit 7219387 we are no longer adding "DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns ENOENT). The bug can only be seen after "systemctl daemon-reload" because runc also applies the same rules manually (by writing to devices.allow for cgroup v1), and apparently reloading systemd leads to re-applying the rules that systemd has (thus removing the char-pts access). The fix is to do os.Stat only for "/dev" paths. Also, emit a warning that the path was skipped. Since the original idea was to emit less warnings, demote the level to debug. Fixes: opencontainers#3551 Fixes: 7219387 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

A regression reported for runc v1.1.3 says that after systemctl daemon-reload runc exec fails: > exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown Apparently, with commit 7219387 we are no longer adding "DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns ENOENT). The bug can only be seen after "systemctl daemon-reload" because runc also applies the same rules manually (by writing to devices.allow for cgroup v1), and apparently reloading systemd leads to re-applying the rules that systemd has (thus removing the char-pts access). The fix is to do os.Stat only for "/dev" paths. Also, emit a warning that the path was skipped. Since the original idea was to emit less warnings, demote the level to debug. Fixes: opencontainers#3551 Fixes: 7219387 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

kolyshkin · 2022-08-11T01:55:29Z

Trying to make a test for this in #3555, alas it's not failing.

v2: use daemon-reexec Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

v2: use daemon-reexec v3: require root to reload systemd Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

A regression reported for runc v1.1.3 says that after systemctl daemon-reload runc exec fails: > exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown Apparently, with commit 7219387 we are no longer adding "DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns ENOENT). The bug can only be seen after "systemctl daemon-reload" because runc also applies the same rules manually (by writing to devices.allow for cgroup v1), and apparently reloading systemd leads to re-applying the rules that systemd has (thus removing the char-pts access). The fix is to do os.Stat only for "/dev" paths. Also, emit a warning that the path was skipped. Since the original idea was to emit less warnings, demote the level to debug. Fixes: opencontainers#3551 Fixes: 7219387 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

v2: use daemon-reexec v3: require root to reload systemd v4: use exec -t Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

A regression reported for runc v1.1.3 says that "runc exec -t" fails after doing "systemctl daemon-reload": > exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown Apparently, with commit 7219387 we are no longer adding "DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns ENOENT). The bug can only be seen after "systemctl daemon-reload" because runc also applies the same rules manually (by writing to devices.allow for cgroup v1), and apparently reloading systemd leads to re-applying the rules that systemd has (thus removing the char-pts access). The fix is to do os.Stat only for "/dev" paths. Also, emit a warning that the path was skipped. Since the original idea was to emit less warnings, demote the level to debug. Note this also fixes the issue of not adding "m" permission for block-* and char-* devices. A test case is added, which reliably fails before the fix on both cgroup v1 and v2. Fixes: opencontainers#3551 Fixes: 7219387 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

A regression reported for runc v1.1.3 says that "runc exec -t" fails after doing "systemctl daemon-reload": > exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown Apparently, with commit 7219387 we are no longer adding "DeviceAllow=char-pts rwm" rule (because os.Stat("char-pts") returns ENOENT). The bug can only be seen after "systemctl daemon-reload" because runc also applies the same rules manually (by writing to devices.allow for cgroup v1), and apparently reloading systemd leads to re-applying the rules that systemd has (thus removing the char-pts access). The fix is to do os.Stat only for "/dev" paths. Also, emit a warning that the path was skipped. Since the original idea was to emit less warnings, demote the level to debug. Note this also fixes the issue of not adding "m" permission for block-* and char-* devices. A test case is added, which reliably fails before the fix on both cgroup v1 and v2. This is a backport of commit 58b1374 to release-1.1 branch. Fixes: opencontainers#3551 Fixes: 7219387 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

amigthea mentioned this issue Aug 5, 2022

Failed to exec into the container due to permission issue after executing 'systemctl daemon-reload' containerd/containerd#7219

Closed

kolyshkin added the regression label Aug 9, 2022

kolyshkin added this to the 1.1.4 milestone Aug 9, 2022

AkihiroSuda mentioned this issue Aug 10, 2022

error: unable to start container process: open /dev/pts/0 at version:1.6.7 containerd/containerd#7271

Closed

mark-vieira mentioned this issue Aug 10, 2022

[CI] unix packaging tests on rhel-9-packaging OS failing for DockerTests.test010Install elastic/elasticsearch#89247

Closed

kolyshkin mentioned this issue Aug 11, 2022

[1.1] Fix failed exec after systemctl daemon-reload (regression in 1.1.3) #3554

Merged

kolyshkin added a commit to kolyshkin/runc that referenced this issue Aug 11, 2022

Int test for opencontainers#3551

ffa3230

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

kolyshkin added a commit to kolyshkin/runc that referenced this issue Aug 11, 2022

Int test for opencontainers#3551

40aa4ee

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

bob-rove mentioned this issue Aug 13, 2022

Can't console into any containers running on Rocky Linux 9 docker instance docker/desktop-linux#59

Open

3 tasks

thaJeztah mentioned this issue Aug 16, 2022

OCI runtime exec failed: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown moby/moby#43969

Closed

kolyshkin added a commit to kolyshkin/runc that referenced this issue Aug 16, 2022

Int test for opencontainers#3551

afe291f

v2: use daemon-reexec Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

kolyshkin added a commit to kolyshkin/runc that referenced this issue Aug 16, 2022

Int test for opencontainers#3551

4cb51db

v2: use daemon-reexec v3: require root to reload systemd Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

kolyshkin mentioned this issue Aug 16, 2022

Fix failed exec after systemctl daemon-reload #3559

Merged

kolyshkin added a commit to kolyshkin/runc that referenced this issue Aug 17, 2022

Int test for opencontainers#3551

68b62dd

v2: use daemon-reexec v3: require root to reload systemd v4: use exec -t Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

kolyshkin added a commit to kolyshkin/runc that referenced this issue Aug 17, 2022

Int test for opencontainers#3551

7d420d8

v2: use daemon-reexec v3: require root to reload systemd v4: use exec -t Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

kolyshkin added a commit to kolyshkin/runc that referenced this issue Aug 17, 2022

Int test for opencontainers#3551

11bfa2a

v2: use daemon-reexec v3: require root to reload systemd v4: use exec -t Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

kolyshkin closed this as completed in #3559 Aug 18, 2022

AkihiroSuda mentioned this issue Aug 22, 2022

Release 1.1.4 (Fix error open /dev/pts/0: operation not permitted) #3564

Merged

kakkotetsu mentioned this issue Aug 30, 2022

[runc] update to v1.1.4 kubernetes-sigs/kubespray#9230

Merged

This was referenced Aug 31, 2022

Bug in runc causes kubectl exec failure after systemd daemon-reload k3s-io/k3s#6064

Closed

Bump containerd and runc versions rancher/rke2#3304

Closed

Reuuke mentioned this issue Sep 15, 2022

Update runc to 1.1.4 awslabs/amazon-eks-ami#1023

Closed

This was referenced Mar 21, 2023

nvidia-smi command in container returns "Failed to initialize NVML: Unknown Error" after couple of times NVIDIA/nvidia-docker#1678

Closed

coder update instructions break running gpu containers coder/coder#6338

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OCI runtime exec failed: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown #3551

OCI runtime exec failed: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown #3551

amigthea commented Aug 5, 2022

kolyshkin commented Aug 10, 2022

kolyshkin commented Aug 11, 2022

kolyshkin commented Aug 11, 2022

OCI runtime exec failed: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown #3551

OCI runtime exec failed: exec failed: unable to start container process: open /dev/pts/0: operation not permitted: unknown #3551

Comments

amigthea commented Aug 5, 2022

kolyshkin commented Aug 10, 2022

kolyshkin commented Aug 11, 2022

kolyshkin commented Aug 11, 2022