Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

timeout for podman run #24968

Closed
weli-l opened this issue Jan 8, 2025 · 5 comments
Closed

timeout for podman run #24968

weli-l opened this issue Jan 8, 2025 · 5 comments

Comments

@weli-l
Copy link

weli-l commented Jan 8, 2025

podman run -it --rm --security-opt seccomp=$HOME/seccomp.json --runtime=runc iperf3 -s

when I execute this command, I found that it would always be stuck here
Maybe it’s because my user-mode decision program is not started?
Is there a way to make the decision program start after podman creates the container process?

@weli-l
Copy link
Author

weli-l commented Jan 8, 2025

I set these syscall, is there any syscall affect podman?

"syscalls": [
    {
      "names": [
        "bind",
        "close",
        "connect",
        "setsockopt",
        "fcntl",
        "_exit",
        "exit_group",
        "getpeername"
      ],
      "action": "SCMP_ACT_NOTIFY"

@giuseppe
Copy link
Member

giuseppe commented Jan 8, 2025

yes, close surely affect the OCI runtime, as well as exit.

Does it work if you don't override the seccomp profile?

@weli-l
Copy link
Author

weli-l commented Jan 8, 2025

yes, close surely affect the OCI runtime, as well as exit.

Does it work if you don't override the seccomp profile?

yes, it works when I don't override the seccomp profile or delete all syscalls that I set.

@weli-l
Copy link
Author

weli-l commented Jan 8, 2025

yes, close surely affect the OCI runtime, as well as exit.

Does it work if you don't override the seccomp profile?

is there any other syscall that affect OCI below?

   "bind",
        "close",
        "connect",
        "setsockopt",
        "fcntl",
        "_exit",
        "exit_group",
        "getpeername"

@giuseppe
Copy link
Member

giuseppe commented Jan 8, 2025

that's is runtime specific. crun might use less syscalls than runc

@containers containers locked and limited conversation to collaborators Jan 8, 2025
@Luap99 Luap99 converted this issue into discussion #24969 Jan 8, 2025

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants