[Error] OCI permission denied error

[tazihad]

OS: Fedora 38 Kinoite
distrobox: distrobox: 1.4.2.1
podman: podman version 4.5.0

I can't enter distrobox I created 1 month ago. I get this error.

❯ distrobox enter ubuntu-22-04
Container ubuntu-22-04 is not running.
Starting container ubuntu-22-04
run this command to follow along:

 podman logs -f ubuntu-22-04

Error: unable to start container "ed78b5a5507c1b0f292250be999e843163f6cc39ccecc0721c3bc880bc76ea26": crun: setrlimit `RLIMIT_NPROC`: Operation not permitted: OCI permission denied

Same problem with arch linux I created. Any solution?

[sandorex]

I just rebased to kinoite (38.20230525.0 (2023-05-25T00:47:33Z)) from silverblue and am getting the same issue

[bpseudopod]

Finally, keeping a log for updates comes in handy!

This issue is probably associated with a recent update in the container-selinux package, from version 2.213.0 to 2.215.0. If you rpm-ostree rollback to a tree with 2.213.0, the inaccessible containers become accessible again.

Alternatively, there's a very simple solution:

distrobox create -c my-distrobox revenge-of-my-distrobox
podman rm my-distrobox
podman rename revenge-of-my-distrobox my-distrobox
distrobox enter # and, presto!

[sandorex]

@tinkerttoy could you run ulimit -a -S and ulimit -a -H and see if it changed between the updates for you as i explained in fedora-silverblue/issue-tracker#460 (comment) i explained how i fixed it but i do not know if its only my system

Same thing happened to me when going from kinoite 38.20230525.0 to 38.20230527.0 and yes container-selinux was updated

[bpseudopod]

@sandorex Looks like it has changed. Here's the diff:

Details

1c1
< 38.20230525.0
---
> 38.20230527.0
6c6
< Maximum number of pending signals                                   (-i) 47041
---
> Maximum number of pending signals                                   (-i) 47015
14c14
< Maximum number of processes available to current user               (-u) 47041
---
> Maximum number of processes available to current user               (-u) 47015
21c21
< Maximum number of pending signals                                   (-i) 47041
---
> Maximum number of pending signals                                   (-i) 47015
29c29
< Maximum number of processes available to current user               (-u) 47041
---
> Maximum number of processes available to current user               (-u) 47015

I can upload the full text of the individual outputs too, if you want.

[sandorex]

I can upload the full text of the individual outputs too, if you want.

It wouldnt hurt as its hard to see which ones are the hard limit and which one is soft (-H vs -S respectively), but from what i can see the number of processes decreased
My guess is if it decreases and it cannot increase it to the same value it was cause the hard limit decreased (as it happen it my case too) this will happen as only root user can increase the hard limit

[bpseudopod]

Here's a gist with the file contents: https://gist.github.com/tinkerttoy/fd5bfa2f0b3b230a1179bbb672004f85

[ghost]

I get a similar issue when setting a lower hard process limit in /etc/security/limits.conf. After rebooting, the distrobox im using no longer opens and displays this error:

Error: unable to start container "5019de52fdc5aa0a7d62726770a597105a00b682e68deced331c2d8316b4ed04": runc: runc create failed: unable to start container process: error during container init: error setting rlimits for ready process: error setting rlimit type 6: operation not permitted: OCI permission denied

info:
Distrobox version: 1.4.2.1
OS: openSUSE MicroOS 20230526 x86_64
Podman version: 4.5.0
Distrobox is a tumbleweed distrobox

[tazihad]

Unfortunately, After updating my system. I am getting the error again. I deleted my first ubuntu box when error occured. Now it happens again.

distrobox enter ubuntu-22-04
Container ubuntu-22-04 is not running.
Starting container ubuntu-22-04
run this command to follow along:

 podman logs -f ubuntu-22-04

Error: unable to start container "e1b27636697ed1d5c875a96d4918217826cc94efa85ebc71c8e38b1037616827": crun: setrlimit `RLIMIT_NPROC`: Operation not permitted: OCI permission denied

[sandorex]

@tazihad Have you tried the fix i mention in #755 (comment)

[citrixscu]

Experiencing this issue after upgrading to 0601 of Silverblue. Was able to clone the container as per @tinkerttoy comment above and enter.

[89luca89]

Hi all
This seems to be unrelated to distrobox and more related to the podman/selinux package in silverblue

So I'll close this

[juhp]

Sadly wasn't able to rescue my fedora-39 distrobox with create --clone:

It created a localhost/fedora-39-haskell-db:2023-07-31 image but then tries to pull docker://localhost/fedora-39-haskell-db:2023-07-31 which fails on my fedora silverblue:

Trying to pull localhost/fedora-39-haskell-db:2023-07-31...
WARN[0000] Failed, retrying in 1s ... (1/3). Error: initializing source docker://localhost/fedora-39-haskell-db:2023-07-31: pinging container registry localhost: Get "https://localhost/v2/": dial tcp [::1]:443: connect: connection refused 
WARN[0001] Failed, retrying in 1s ... (2/3). Error: initializing source docker://localhost/fedora-39-haskell-db:2023-07-31: pinging container registry localhost: Get "https://localhost/v2/": dial tcp [::1]:443: connect: connection refused 
WARN[0002] Failed, retrying in 1s ... (3/3). Error: initializing source docker://localhost/fedora-39-haskell-db:2023-07-31: pinging container registry localhost: Get "https://localhost/v2/": dial tcp [::1]:443: connect: connection refused 
Error: initializing source docker://localhost/fedora-39-haskell-db:2023-07-31: pinging container registry localhost: Get "https://localhost/v2/": dial tcp [::1]:443: connect: connection refused

Maybe my ignorance?