Cloudlinux 8 and rootless Podman

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • phjp
    Junior Member
    • Sep 2025
    • 3
    #1

    Cloudlinux 8 and rootless Podman

    Hi,

    We run CloudLinux 8.10 without control panel on pretty much all our hosting and it works great! However, I've been exploring running Podman as a non-root user on Cloudlinux and I'm running into undocumented errors that do not seem to happen on other OS, so I find myself at a loss.

    I'm trying to run Podman 4.9.4-rhel with runc 1.1.12 . I've created an user with cagefs disabled and set lve to unlimited. I am able to call podman and runc on the command line. However, when I try to start up a container, I get the following error:

    Error: OCI runtime error: runc: you have no read access to runc binary file
    runc create failed: unable to start container process: waiting for init preliminary setup: read init-p: connection reset by peer

    Afaik though, I DO have access to the runc binary from the user. While I've delved into strace log when booting the container, I haven't been able to find out what's exactly missing for runc to start properly. My best guess is that the error message is wrong and something else is blocking.

    So, I must ask, is rootless Podman compatible with CloudLinux? Or is there a security feature that fundamentally breaks rootless Podman?
    Tags: None
    • phjp
      Junior Member
      • Sep 2025
      • 3
      #2
      After further research, I've isolated a more telling error message : nsexec[15143]: could not ensure we are a cloned binary: Operation not permitted

      This seems to be related to runc's process of cloning itself into memory. Does Cloudlinux prevent the execution of binaries in memory?

        Comment

        • bogdan.sh
          Administrator
          • Nov 2016
          • 1248
          #3
          Hello,

          CloudLinux does not block the Podman/runc services itself, however, there is a big part of security parameters we adjust like ptrace block which could affect the services you are trying to run. Please try disabling it per https://docs.cloudlinux.com/cloudlin.../#ptrace-block .

            Comment

            • phjp
              Junior Member
              • Sep 2025
              • 3
              #4
              Hi,

              thank you for this information. I've checked and user_ptrace protection as well as kernel.yama.ptrace_scope are not enabled (kernel.user_ptrace and kernel.user_ptrace_self = 1, kernel.yama.ptrace_scope= 0 ). I realize this might not even be a cloudlinux issue in the end, but now I'm going to look further into kernel parameters if I find anything.

                Comment

                • viridio
                  Junior Member
                  • Sep 2025
                  • 1
                  #5
                  We are in the same boat, and built our own control panel for Cloudlinux instead of running cPanel or any other commercial panel. Since we are doing it this way, we dont have easy access to Redis securely. We are looking into running either Docker, Podman, or something else to get Redis working on a per user level that is secure. Did you get this figured issue figured out with podman?
                  As our plan is to use a container for each user running Redis and then push that socket from that container into the users virtual FS/cage. You can set docker to not use iptables and push a socket out of the container to the actual file system.

                  @bogdan.sh Is it possible to take a path like /tmp/redis/USERNAME/redis.sock and push it into the specifc user ? Maybe something in /etc/cagefs/cagefs.mp like /tmp/redis/%USERNAME/redis.sock

                  Although this script talks about running podman as the user, so would this some how work better: https://gist.github.com/juanje/de5dd...8b0d089e837e4a

                    Comment

                    Previous template Next
                    Working...

                    We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.

                    By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

                    I Agree